MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdcf37e1d95ce99fcd56130e6713b855abc230ab4382bdbcc488bbd19192467f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdcf37e1d95ce99fcd56130e6713b855abc230ab4382bdbcc488bbd19192467f
SHA3-384 hash: 63f54fe3d9c3f5a833c68058db0b42867df3941b7c9bb84076c444aa26476ed6534276e26039c0f31d7a8c07f24ae63c
SHA1 hash: 5eca91c90676fbe1fa01308217477416c02511c8
MD5 hash: 05b1ec3f7ff2cf7c20b3d76eb1b1d22c
humanhash: blossom-carbon-delta-burger
File name:Packinglist&certificate of imports.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:958'464 bytes
First seen:2021-04-22 05:45:13 UTC
Last seen:2021-04-22 07:19:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:supQIZQTxMZCZiZRecdiugRFaR6hV8higEZhwnvDzln75XG3FiLv7tzRRRRR5qWv:sdTxQuRRFMyVCigJvvln7BtRRRRR5qp
Threatray 321 similar samples on MalwareBazaar
TLSH 98159E41B3A9C8BAD41722F1D896F4F422917D45EA22912F359FBE1E75F335210A3E0B
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
185.222.57.152:4001

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.222.57.152:4001 https://threatfox.abuse.ch/ioc/9369/

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Packinglist&certificate of imports.exe
Verdict:
Malicious activity
Analysis date:
2021-04-22 05:50:46 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/f9d1049c-00b9-4aa8-b98e-bd48e9afc0e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/143514/
Detection(s):
SecuriteInfo.com.Artemis05B1EC3F7FF2.9211.14793.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/692282
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 395077 Sample: Packinglist&certificate of ... Startdate: 22/04/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 14 other signatures 2->48 7 Packinglist&certificate of imports.exe 7 2->7         started        process3 file4 30 C:\Users\user\AppData\Roaming\bZRbTuK.exe, PE32 7->30 dropped 32 C:\Users\user\...\bZRbTuK.exe:Zone.Identifier, ASCII 7->32 dropped 34 C:\Users\user\AppData\Local\...\tmp466B.tmp, XML 7->34 dropped 36 Packinglist&certif... of imports.exe.log, ASCII 7->36 dropped 50 Adds a directory exclusion to Windows Defender 7->50 52 Injects a PE file into a foreign processes 7->52 11 Packinglist&certificate of imports.exe 7->11         started        16 powershell.exe 25 7->16         started        18 powershell.exe 25 7->18         started        20 2 other processes 7->20 signatures5 process6 dnsIp7 40 185.222.57.152, 4001, 49683, 49684 ROOTLAYERNETNL Netherlands 11->40 38 C:\Users\user\AppData\Roaming\...\run.dat, data 11->38 dropped 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->54 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        28 conhost.exe 20->28         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fdcf37e1d95ce99fcd56130e6713b855abc230ab4382bdbcc488bbd19192467f/
Threat name:
ByteCode-MSIL.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2021-04-22 05:06:10 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7xhtpyozltuz7tkwcmhgoe5ykwv4emfliobl3pgerc55demsiz7q._file
Verdict:
suspicious
Similar samples:
1cfe7afeaffc535ddacf05082d4e1cfb0254869e234ff08b22af04974ebfd1a4
NanoCore
4737b27bca728371f926c46621a70a908ab054e7981dc2aeb8849e8e169fc947
NanoCore
55c76cd025310d9609862f35b9631e570be8b9276725aeebf1535c400d648d6e
NanoCore
704bd3f6c7d6671e896d71bc871f415cfc78209ae32cc518e95e39e7c06f83ad
NanoCore
78331c132550493cdd32b3d458417f2e2f91de4c9384f3478aaa0fd50665dbb0
NanoCore
aba011b5f83793cebc1cfb4a1ef3aecbba7a3ea766abb459363b2d8bb51f3866
NanoCore
bd299f37aa9e98b1f42640c6c588b65fb932abd4c3c4b7d258e37be327ae60a4
NanoCore
c4694ce810c06b60cd032b8ff67964924a0c273a81f8ca5ce55064cf9fb6ec0a
NanoCore
f27dfa34490a595f8ad99b083d4b0e3147b183c651e41760b038339e441b8582
NanoCore
f3b2b42ef8cec0923c1775d70e26d43577f386e0080b5e3215f608dd33e75313
NanoCore
+ 311 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210422-qq1xpjre3x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
185.222.57.152:4001
127.0.0.1:4001
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/fdcf37e1d95ce99fcd56130e6713b855abc230ab4382bdbcc488bbd19192467f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/143514/

Comments