MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff83ce74018d4471c4cfffe406767fcd0db3ae76233e199fb3e3f5c0a40f7643. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff83ce74018d4471c4cfffe406767fcd0db3ae76233e199fb3e3f5c0a40f7643
SHA3-384 hash: f7853640bbdedc7d5d3b563836f6937099766048bbe69c97cc5be495d333ba994f1466853f63124c119688e510c1822c
SHA1 hash: 46e0a230c0c01f00b7c76a911b8069cea4e42a01
MD5 hash: f81adef8dc48ed3760f678dc76339d83
humanhash: magazine-spring-yellow-xray
File name:RFQ-PO #50763.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:997'888 bytes
First seen:2020-08-20 05:32:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0Hq/Yy8pm4EfOdpo6hrJ00vvo+GOt5D4ujmTOduOgbrXKREC7wDwssUOoHT4bqxU:cQYDXhrJ9o+HXDpjmTjraREC7wvTX
Threatray 1'069 similar samples on MalwareBazaar
TLSH A225125DB5202ABED84FC570DA0C6D25973129B7475AFA172C4B40E89E1CB07CF2A6B3
Reporter cocaman
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48981/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/440490
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 272812 Sample: RFQ-PO #50763.exe Startdate: 21/08/2020 Architecture: WINDOWS Score: 100 55 Malicious sample detected (through community Yara rule) 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 Sigma detected: NanoCore 2->59 61 9 other signatures 2->61 8 RFQ-PO #50763.exe 7 2->8         started        12 RegSvcs.exe 4 2->12         started        14 dhcpmon.exe 4 2->14         started        16 dhcpmon.exe 3 2->16         started        process3 file4 45 C:\Users\user\AppData\Roaming\qUSHOAkPr.exe, PE32 8->45 dropped 47 C:\Users\...\qUSHOAkPr.exe:Zone.Identifier, ASCII 8->47 dropped 49 C:\Users\user\AppData\Local\...\tmp5506.tmp, XML 8->49 dropped 51 C:\Users\user\...\RFQ-PO #50763.exe.log, ASCII 8->51 dropped 65 Writes to foreign memory regions 8->65 67 Allocates memory in foreign processes 8->67 69 Injects a PE file into a foreign processes 8->69 18 RegSvcs.exe 1 13 8->18         started        23 schtasks.exe 1 8->23         started        25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        signatures5 process6 dnsIp7 53 185.244.30.107, 1985, 49730, 49731 DAVID_CRAIGGG Netherlands 18->53 41 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 18->41 dropped 43 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->43 dropped 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->63 31 schtasks.exe 1 18->31         started        33 schtasks.exe 1 18->33         started        35 conhost.exe 23->35         started        file8 signatures9 process10 process11 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff83ce74018d4471c4cfffe406767fcd0db3ae76233e199fb3e3f5c0a40f7643/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-20 03:55:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=76b445abrvchdrgp77sam5t7zug3hltwem7bth5t4p24bjapozbq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0b227a11aa15b176c7d63d4aacbfcf8cd70bfa8f457d4d762053c559cd31435a
NanoCore
4de20c38ffff3f9d75d9a446f152c017d9010477c28c8b97875f95f448ecb761
NanoCore
71b9cfc637c0d49cc0375574e6254b09545d4ebc584b734aa8e35cf04b991332
NanoCore
7517598e76a259f655059544b46dfe2a509fb56fbdc7cee743dfbdaff5c722da
NanoCore
9bf00370d7ce501407903b0435920664abc86712b94263575e72ad9aa98022de
NanoCore
af7b5b39405065f105a0bf0f53578061adcd58a5861bb38827dd0f62df4f57ed
NanoCore
cbd78bfa67cd972d5c01472ce3f98e4500744c2544ca5fdddc3d9df49fbf1227
NanoCore
d28b1aecf31d66ac879101538af986bd720ac417046bca393e75985bea7edecf
NanoCore
e74457811f2abc70de01c9fd40cae9112b274937bebbee5c7cb9b8356e9a4e03
NanoCore
f2f3fbce922931de773ca15e8486016a85595a41fec8cb94d29e7b16bdcc2bfe
NanoCore
+ 1'059 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200820-bw69m5tqmn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
NanoCore
Malware Config
C2 Extraction:
185.244.30.107:1985
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff83ce74018d4471c4cfffe406767fcd0db3ae76233e199fb3e3f5c0a40f7643

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z ba943c3c495e0a6590b1b136a8e0a30ffba173d6f28b38784120534942b39183

NanoCore

Executable exe ff83ce74018d4471c4cfffe406767fcd0db3ae76233e199fb3e3f5c0a40f7643

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ba943c3c495e0a6590b1b136a8e0a30ffba173d6f28b38784120534942b39183
Cape
Cape
https://www.capesandbox.com/analysis/48981/

Comments