MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd0a2829a8e97e5985e07b610f5a88964d9c00e6d65cb179e0d9724105b92172. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd0a2829a8e97e5985e07b610f5a88964d9c00e6d65cb179e0d9724105b92172
SHA3-384 hash: 280494c18e911dc867389bea893e5c3026c3bef49781f07f33111f00eec0396cf9a1e07e229189d8427500e104cbd6dd
SHA1 hash: 7625f63e879775b816152672a1cf107484e378df
MD5 hash: 93a29ebe57240687b0418a092358c3a3
humanhash: mockingbird-don-lake-uncle
File name:PURCHASE ORDER - 0058.pdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:801'792 bytes
First seen:2021-06-08 07:04:39 UTC
Last seen:2021-06-08 08:11:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'649 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:AgDUVYtXiZNJvSgt7aYVKn1HvCUklX6ZDI/FI:AgDUYtXiZvvS4KndCDlKZ09
Threatray 26 similar samples on MalwareBazaar
TLSH D4051211375CAB23E2FC063698B8585112F6BD422973D67FBCC839DE19E6B945B10B83
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
77.247.110.178:2828

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.247.110.178:2828 https://threatfox.abuse.ch/ioc/72144/

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE ORDER - 0058.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-06-08 07:05:45 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/a7962b74-f831-4591-9e9f-7897c081760d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165169/
Detection(s):
SecuriteInfo.com.PWS-FCZF93A29EBE5724.2201.6418.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798663
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd0a2829a8e97e5985e07b610f5a88964d9c00e6d65cb179e0d9724105b92172/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-08 05:08:26 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ufcqkni5f7ftbpapnqq6wuiszgzyahg2zolc6pa3fzecbnzefza._file
Verdict:
unknown
Similar samples:
09b4b506c4b0cf86cee8208ecdb54da96b752b2ab1d4934f988fb6ca9c0cfe27
NanoCore
1a730ab5a834e3ec6e9ec7ab3f1bef307d13dd6377b4a625c5491922dcfefc12
NanoCore
3ba0da5db0ccdbabdfd7e95fe24a1c43056b77893dc6c589ede0a2a4ba365cce
NanoCore
525a8b4b10e2eb7067eac0ff67cffa19779019dbf5ea82f55f8b589acdd3049a
NanoCore
65e6fdc568ef538481a5bdfc4489a3bf077d6693c8f2bc1a0e6aff433e19b830
NanoCore
9e49394ef2a90c547ed4ec122d3ac11264d7e0d587383fda135f1b7bb96c8b88
NanoCore
a41e9786e52fb3009f9c3322bca19e600a7f46689f36893a0564e382555fe4c6
NanoCore
db294df49b653f61dfe2b05537c556e560f4aaef78c11dc0e5ccfc6a003c3dd3
NanoCore
f3696e27d29c6d4b4b3e0d3d6ecca76e5089db9e665a58ceb4d55e2416c7f0f3
NanoCore
fe60e9ec408cf61c465517c77e9a504d3e63679f733bcc02ffa4de14f5045d8d
NanoCore
+ 16 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210608-3h44436brn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
77.247.110.178:2828
Unpacked files
SH256 hash:
34e69e90b7cb6121c3f93911f21dfb00491ea5d5bb79bfce4902d04f72c24184
MD5 hash:
b6b086a0ab13f3feb9ee8c846d230e5d
SHA1 hash:
dd8e1b816f3e7d9dcfa6eddc20a27fe0fbed478a
Link:
https://www.unpac.me/results/6de0b771-44e3-48d1-bf89-d46360206f65/
SH256 hash:
fd0a2829a8e97e5985e07b610f5a88964d9c00e6d65cb179e0d9724105b92172
MD5 hash:
93a29ebe57240687b0418a092358c3a3
SHA1 hash:
7625f63e879775b816152672a1cf107484e378df
Link:
https://www.unpac.me/results/6de0b771-44e3-48d1-bf89-d46360206f65/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd0a2829a8e97e5985e07b610f5a88964d9c00e6d65cb179e0d9724105b92172

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165169/

Comments