Jump to content

Recommended Posts

I got a message from Malwarebytes monthly scan of a NanoCore Backdoor?

I check virus total, and there was 0 detections based on a file sha256 search.

Is this a false positive?

 

 1        File: MBPPCn64.dll  2      CRC-32: 46b24f7f  3         MD5: f63631c6d92033403eb7fad245439f38  4       SHA-1: 75cdbdaad6a2467c83ced4213f603688a1963e22  5     SHA-256: 2e5cfa02cda88fa4a206dab9ab06925fd743adf9a57f77a344473790987c8af0  6     SHA-512: 5b51efb3210b1a4e83a71972a1a6f7f8609e6846da4beef0d74c5f88c17aae24fcf731fcccff952718f71837169c05cbed423ec99e20f6ab5fc787e4f9c0c8a0  7     8     9     10    Malwarebytes  11    www.malwarebytes.com  12     13    -Log Details-  14    Scan Date: 7/13/20  15    Scan Time: 10:04 AM  16    Log File: d4c52e42-c511-11ea-88a4-34f39a9233f7.json  17     18    -Software Information-  19    Version: 4.1.0.56  20    Components Version: 1.0.955  21    Update Package Version: 1.0.26771  22    License: Free  23     24    -System Information-  25    OS: Windows 10 (Build 18362.900)  26    CPU: x64  27    File System: NTFS  28    User: System  29     30    -Scan Summary-  31    Scan Type: Threat Scan  32    Scan Initiated By: Scheduler  33    Result: Completed  34    Objects Scanned: 395361  35    Threats Detected: 25  36    Threats Quarantined: 25  37    Time Elapsed: 15 min, 58 sec  38     39    -Scan Options-  40    Memory: Enabled  41    Startup: Enabled  42    Filesystem: Enabled  43    Archives: Enabled  44    Rootkits: Disabled  45    Heuristics: Enabled  46    PUP: Detect  47    PUM: Detect  48     49    -Scan Details-  50    Process: 0  51    (No malicious items detected)  52     53    Module: 0  54    (No malicious items detected)  55     56    Registry Key: 24  57    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CLSID\{6A25A050-525C-4c97-A072-9504F8E8E77D}, Quarantined, 3700, 840328, , , ,   58    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CplStub.ControllerPropPageLoader, Quarantined, 3700, 840328, , , ,   59    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CplStub.ControllerPropPageLoader.1, Quarantined, 3700, 840328, , , ,   60    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\TYPELIB\{5DF21ACB-651C-4332-83DA-FBA3846C44D8}, Quarantined, 3700, 840328, , , ,   61    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\INTERFACE\{8DB8468B-2C40-48FF-A925-D5AF337C71D7}, Quarantined, 3700, 840328, , , ,   62    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\INTERFACE\{8E6F605D-E8A9-418F-806C-70F32091C675}, Quarantined, 3700, 840328, , , ,   63    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\INTERFACE\{964D846F-3E6D-4FB5-A613-948039719F3F}, Quarantined, 3700, 840328, , , ,   64    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{8DB8468B-2C40-48FF-A925-D5AF337C71D7}, Quarantined, 3700, 840328, , , ,   65    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{8E6F605D-E8A9-418F-806C-70F32091C675}, Quarantined, 3700, 840328, , , ,   66    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{964D846F-3E6D-4FB5-A613-948039719F3F}, Quarantined, 3700, 840328, , , ,   67    Backdoor.NanoCore, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{8DB8468B-2C40-48FF-A925-D5AF337C71D7}, Quarantined, 3700, 840328, , , ,   68    Backdoor.NanoCore, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{8E6F605D-E8A9-418F-806C-70F32091C675}, Quarantined, 3700, 840328, , , ,   69    Backdoor.NanoCore, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{964D846F-3E6D-4FB5-A613-948039719F3F}, Quarantined, 3700, 840328, , , ,   70    Backdoor.NanoCore, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{5DF21ACB-651C-4332-83DA-FBA3846C44D8}, Quarantined, 3700, 840328, , , ,   71    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{5DF21ACB-651C-4332-83DA-FBA3846C44D8}, Quarantined, 3700, 840328, , , ,   72    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CLSID\{6A25A050-525C-4c97-A072-9504F8E8E77D}\InprocServer32, Quarantined, 3700, 840328, , , ,   73    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CLSID\{74C7569D-ED69-4292-9886-CC89DD455744}, Quarantined, 3700, 840328, , , ,   74    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CplStub.PropPageStub, Quarantined, 3700, 840328, , , ,   75    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CplStub.PropPageStub.1, Quarantined, 3700, 840328, , , ,   76    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CLSID\{74C7569D-ED69-4292-9886-CC89DD455744}\InprocServer32, Quarantined, 3700, 840328, , , ,   77    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CLSID\{F2725209-D040-48ba-B5B3-FAE9060BC3C9}, Quarantined, 3700, 840328, , , ,   78    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CplStub.EndpointPropPageLoader, Quarantined, 3700, 840328, , , ,   79    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CplStub.EndpointPropPageLoader.1, Quarantined, 3700, 840328, , , ,   80    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CLSID\{F2725209-D040-48ba-B5B3-FAE9060BC3C9}\InprocServer32, Quarantined, 3700, 840328, , , ,   81     82    Registry Value: 0  83    (No malicious items detected)  84     85    Registry Data: 0  86    (No malicious items detected)  87     88    Data Stream: 0  89    (No malicious items detected)  90     91    Folder: 0  92    (No malicious items detected)  93     94    File: 1  95    Backdoor.NanoCore, C:\WINDOWS\SYSTEM32\MBPPCN64.DLL, Quarantined, 3700, 840328, 1.0.26771, , ame,   96     97    Physical Sector: 0  98    (No malicious items detected)  99     100    WMI: 0  101    (No malicious items detected)  102     103     104    (end)

 

Link to post
Share on other sites
  • Administrators
1 minute ago, joedf said:

Woops wrong section.

All good. I have moved it to the right area.

Link to post
Share on other sites

Thank you, I've reattached the log, file hash and quarantined file. I'm not sure how I pasted that all mashed up.

    File: MBPPCn64.dll
  CRC-32: 46b24f7f
     MD5: f63631c6d92033403eb7fad245439f38
   SHA-1: 75cdbdaad6a2467c83ced4213f603688a1963e22
 SHA-256: 2e5cfa02cda88fa4a206dab9ab06925fd743adf9a57f77a344473790987c8af0
 SHA-512: 5b51efb3210b1a4e83a71972a1a6f7f8609e6846da4beef0d74c5f88c17aae24fcf731fcccff952718f71837169c05cbed423ec99e20f6ab5fc787e4f9c0c8a0

threat_detected_01.txt MBPPCn64.dll.zip

Link to post
Share on other sites
Just now, gkidd said:

Multiple Backdoor.NanoCore alerts in my organization as well.   Started this morning after daily scan.

Good to hear I'm not alone. I freaked out. I haven't downloaded any shady email attachments or anything like that...

Link to post
Share on other sites

I'm with you Joe - same files/keys as you have listed above.  Multiple endpoints on various network segments = exact same alarm.    

Link to post
Share on other sites

Weird... I did a restore and did a manual scan of MBPPCn64.dll ... it came back negative now.

 

---

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/13/20
Scan Time: 11:40 AM
Log File: 29ba1f72-c51f-11ea-b0ea-34f39a9233f7.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.955
Update Package Version: 1.0.26775
License: Free

-System Information-
OS: Windows 10 (Build 18362.900)
CPU: x64
File System: NTFS
User: FROST-PC\Frost

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 1
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 0 min, 11 sec

-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites
  • Staff

It was a legit file but the malware we targetted hit both the legit file and the malware we found. We fixed the definition to only hit the malware. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.