ScreenShot
| Created | 2024.08.12 09:14 | Machine | s1_win7_x6403 |
| Filename | nano.exe | ||
| Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 62 detected (AIDetectMalware, Windows, Nanocore, Orbus, Unsafe, Save, malicious, DownLoader12, BSON, Nancrat, GenericRXAA, fpar, NanoBot, hmqoyu, CLASSIC, Gen7, NOANCOOE, SMUPS, Real Protect, high, score, NanoCor, Static AI, Malicious PE, Detected, ai score=85, GrayWare, JDE@5s4u9t, atmn, Nancat, Eldorado, ZemsilF, ImW@aKcFB, susgen, confidence, 100%) | ||
| md5 | 1873f27a43f63c02800d6c80014c0235 | ||
| sha256 | 4bfcba248d79dfd6c2cba52d7c9ee18842f007bfa0e3ba99ababacb4794e8c6e | ||
| ssdeep | 12288:WLV6BtpmkzPLrQIh+ReoSwN+Jp9rQj3SHdEIzqLPxc3hHyOm:EApfzPfQ9RecEp9NzUi3JyL | ||
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 | ||
| impfuzzy | 3:rGsLdAIEK:tf | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 62 AntiVirus engines on VirusTotal as malicious |
| watch | A process attempted to delay the analysis task. |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | Is_DotNET_EXE | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
ET MALWARE NanoCore RAT CnC 7
ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)
ET MALWARE NanoCore RAT Keepalive Response 3
ET MALWARE NanoCore RAT Keepalive Response 1
ET MALWARE NanoCore RAT CnC 7
ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)
ET MALWARE NanoCore RAT Keepalive Response 3
ET MALWARE NanoCore RAT Keepalive Response 1
PE API
IAT(Import Address Table) Library
mscoree.dll
0x402000 _CorExeMain
EAT(Export Address Table) is none
mscoree.dll
0x402000 _CorExeMain
EAT(Export Address Table) is none