MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fded70e0d7bee0d44fdb8cd327a09f1a879d61cc35a57a4d2cba7d7d232eed18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



NanoCore


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 11 File information Comments

SHA256 hash: fded70e0d7bee0d44fdb8cd327a09f1a879d61cc35a57a4d2cba7d7d232eed18
SHA3-384 hash: 51f2bce175f546ce59c49698cbfc2532646d1603bc360c3fd2f35dd9b3233d2d6acd08ee1204df0dd86c96041eca8c77
SHA1 hash: 433e13004fc64ef09412e0ac57cc42492eb9b327
MD5 hash: 583524e79bf439fe42fc992fea5d75f9
humanhash: texas-sixteen-bacon-jupiter
File name:Model list set 20 USD4 8 HPID 90CUI 874.exe
Download: download sample
Signature NanoCore
File size:800'768 bytes
First seen:2022-08-05 10:10:25 UTC
Last seen:2022-08-08 06:25:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (31'209 x AgentTesla, 10'508 x Formbook, 5'466 x SnakeKeylogger)
ssdeep 24576:/l4lNlPllllplUlllllllllllllUlUUPllllUlUllbUllbT9dDZH1m3q+lVKbk0Q:/l4lNlPllllplUlllllllllllllUlUUt
TLSH T1DE051254B2DB9753D5798FF6B46106102BB1A02F14ABF24E4C8A3CF768B1B134BA1B17
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter @abuse_ch
Tags:exe NanoCore RAT


Twitter
@abuse_ch
NanoCore C2:
79.134.225.53:7171

Intelligence


File Origin
# of uploads :
5
# of downloads :
308
Origin country :
NL NL
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
nanocore
ID:
1
File name:
Model list set 20 USD4 8 HPID 90CUI 874.exe
Verdict:
Malicious activity
Analysis date:
2022-08-05 10:11:03 UTC
Tags:
nanocore

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lokibot packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679215 Sample: Model list set 20 USD4 8 HP... Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 11 other signatures 2->86 8 Model list set 20 USD4 8 HPID 90CUI 874.exe 7 2->8         started        12 dhcpmon.exe 2->12         started        15 Model list set 20 USD4 8 HPID 90CUI 874.exe 4 2->15         started        17 dhcpmon.exe 2->17         started        process3 dnsIp4 68 C:\Users\user\AppData\...\nFxIoujoILCO.exe, PE32 8->68 dropped 70 C:\Users\...\nFxIoujoILCO.exe:Zone.Identifier, ASCII 8->70 dropped 72 C:\Users\user\AppData\Local\...\tmpFC8E.tmp, XML 8->72 dropped 74 Model list set 20 ...D 90CUI 874.exe.log, ASCII 8->74 dropped 90 Adds a directory exclusion to Windows Defender 8->90 19 Model list set 20 USD4 8 HPID 90CUI 874.exe 1 12 8->19         started        24 powershell.exe 23 8->24         started        26 schtasks.exe 1 8->26         started        78 192.168.2.1 unknown unknown 12->78 28 powershell.exe 12->28         started        36 2 other processes 12->36 30 powershell.exe 15->30         started        32 schtasks.exe 15->32         started        34 Model list set 20 USD4 8 HPID 90CUI 874.exe 15->34         started        38 3 other processes 17->38 file5 signatures6 process7 dnsIp8 76 79.134.225.53, 49769, 49772, 49773 FINK-TELECOM-SERVICESCH Switzerland 19->76 62 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->62 dropped 64 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->64 dropped 66 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->66 dropped 88 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->88 40 schtasks.exe 1 19->40         started        42 schtasks.exe 19->42         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        48 conhost.exe 28->48         started        50 conhost.exe 30->50         started        52 conhost.exe 32->52         started        54 conhost.exe 36->54         started        56 2 other processes 38->56 file9 signatures10 process11 process12 58 conhost.exe 40->58         started        60 conhost.exe 42->60         started       
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Status:
Malicious
First seen:
2022-08-05 10:11:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
24 of 41 (58.54%)
Threat level:
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
79.134.225.53:7171
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
SH256 hash:
6aee28869d24b85bfa356ceb287cf97bcdd9343c53652da70c15f65d89b237c2
MD5 hash:
8dd5c8d8943001fb426e8cd5afc03409
SHA1 hash:
7a8667eae5f7169b6f5b419cfb162bee859f7dd1
SH256 hash:
a9c5b2c628a47247402ff05d399855caf6f6a22146d44cd0fd9d7fc05a65ba66
MD5 hash:
228ff1006be83039e4de2b5e0475a5b0
SHA1 hash:
3adef5cc343067fa6b9d5e712114dc619c867a72
SH256 hash:
455d2ede9930e94dffc5520f1503a9dbb32c506183591fcd54b68fa3fefce027
MD5 hash:
79b5e2b3c44391f592b72a7a49667780
SHA1 hash:
37a0064f18a48dafe76037ef4cf519c091f799aa
SH256 hash:
18b7b1e9fcbb4f645cfb2996cc0b9742478494aab3c25d6a1b2ff6193eadb71e
MD5 hash:
295ae45abc2a599da3fe21da054629c5
SHA1 hash:
2b5c22d3a7970d04e5ee5ff929b09fc973b15bc5
Detections:
win_nanocore_w0
SH256 hash:
fded70e0d7bee0d44fdb8cd327a09f1a879d61cc35a57a4d2cba7d7d232eed18
MD5 hash:
583524e79bf439fe42fc992fea5d75f9
SHA1 hash:
433e13004fc64ef09412e0ac57cc42492eb9b327

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:ach_NanoCore
Author:abuse.ch
Rule name:malware_Nanocore_strings
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:MALWARE_Win_NanoCore
Author:ditekSHen
Description:Detects NanoCore
Rule name:nanocore_rat
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Feb18_1_RID2DF1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Author:Kevin Breen <kevin@techanarchy.net>

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.53:7171 https://threatfox.abuse.ch/ioc/841468

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments