Jump to content

Recommended Posts

I got a message from Malwarebytes monthly scan of a NanoCore Backdoor?

I check virus total, and there was 0 detections based on a file sha256 search.

Is this a false positive?

 

 1        File: MBPPCn64.dll  2      CRC-32: 46b24f7f  3         MD5: f63631c6d92033403eb7fad245439f38  4       SHA-1: 75cdbdaad6a2467c83ced4213f603688a1963e22  5     SHA-256: 2e5cfa02cda88fa4a206dab9ab06925fd743adf9a57f77a344473790987c8af0  6     SHA-512: 5b51efb3210b1a4e83a71972a1a6f7f8609e6846da4beef0d74c5f88c17aae24fcf731fcccff952718f71837169c05cbed423ec99e20f6ab5fc787e4f9c0c8a0  7     8     9     10    Malwarebytes  11    www.malwarebytes.com  12     13    -Log Details-  14    Scan Date: 7/13/20  15    Scan Time: 10:04 AM  16    Log File: d4c52e42-c511-11ea-88a4-34f39a9233f7.json  17     18    -Software Information-  19    Version: 4.1.0.56  20    Components Version: 1.0.955  21    Update Package Version: 1.0.26771  22    License: Free  23     24    -System Information-  25    OS: Windows 10 (Build 18362.900)  26    CPU: x64  27    File System: NTFS  28    User: System  29     30    -Scan Summary-  31    Scan Type: Threat Scan  32    Scan Initiated By: Scheduler  33    Result: Completed  34    Objects Scanned: 395361  35    Threats Detected: 25  36    Threats Quarantined: 25  37    Time Elapsed: 15 min, 58 sec  38     39    -Scan Options-  40    Memory: Enabled  41    Startup: Enabled  42    Filesystem: Enabled  43    Archives: Enabled  44    Rootkits: Disabled  45    Heuristics: Enabled  46    PUP: Detect  47    PUM: Detect  48     49    -Scan Details-  50    Process: 0  51    (No malicious items detected)  52     53    Module: 0  54    (No malicious items detected)  55     56    Registry Key: 24  57    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CLSID\{6A25A050-525C-4c97-A072-9504F8E8E77D}, Quarantined, 3700, 840328, , , ,   58    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CplStub.ControllerPropPageLoader, Quarantined, 3700, 840328, , , ,   59    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CplStub.ControllerPropPageLoader.1, Quarantined, 3700, 840328, , , ,   60    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\TYPELIB\{5DF21ACB-651C-4332-83DA-FBA3846C44D8}, Quarantined, 3700, 840328, , , ,   61    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\INTERFACE\{8DB8468B-2C40-48FF-A925-D5AF337C71D7}, Quarantined, 3700, 840328, , , ,   62    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\INTERFACE\{8E6F605D-E8A9-418F-806C-70F32091C675}, Quarantined, 3700, 840328, , , ,   63    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\INTERFACE\{964D846F-3E6D-4FB5-A613-948039719F3F}, Quarantined, 3700, 840328, , , ,   64    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{8DB8468B-2C40-48FF-A925-D5AF337C71D7}, Quarantined, 3700, 840328, , , ,   65    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{8E6F605D-E8A9-418F-806C-70F32091C675}, Quarantined, 3700, 840328, , , ,   66    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{964D846F-3E6D-4FB5-A613-948039719F3F}, Quarantined, 3700, 840328, , , ,   67    Backdoor.NanoCore, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{8DB8468B-2C40-48FF-A925-D5AF337C71D7}, Quarantined, 3700, 840328, , , ,   68    Backdoor.NanoCore, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{8E6F605D-E8A9-418F-806C-70F32091C675}, Quarantined, 3700, 840328, , , ,   69    Backdoor.NanoCore, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{964D846F-3E6D-4FB5-A613-948039719F3F}, Quarantined, 3700, 840328, , , ,   70    Backdoor.NanoCore, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{5DF21ACB-651C-4332-83DA-FBA3846C44D8}, Quarantined, 3700, 840328, , , ,   71    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{5DF21ACB-651C-4332-83DA-FBA3846C44D8}, Quarantined, 3700, 840328, , , ,   72    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CLSID\{6A25A050-525C-4c97-A072-9504F8E8E77D}\InprocServer32, Quarantined, 3700, 840328, , , ,   73    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CLSID\{74C7569D-ED69-4292-9886-CC89DD455744}, Quarantined, 3700, 840328, , , ,   74    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CplStub.PropPageStub, Quarantined, 3700, 840328, , , ,   75    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CplStub.PropPageStub.1, Quarantined, 3700, 840328, , , ,   76    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CLSID\{74C7569D-ED69-4292-9886-CC89DD455744}\InprocServer32, Quarantined, 3700, 840328, , , ,   77    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CLSID\{F2725209-D040-48ba-B5B3-FAE9060BC3C9}, Quarantined, 3700, 840328, , , ,   78    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CplStub.EndpointPropPageLoader, Quarantined, 3700, 840328, , , ,   79    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CplStub.EndpointPropPageLoader.1, Quarantined, 3700, 840328, , , ,   80    Backdoor.NanoCore, HKLM\SOFTWARE\CLASSES\CLSID\{F2725209-D040-48ba-B5B3-FAE9060BC3C9}\InprocServer32, Quarantined, 3700, 840328, , , ,   81     82    Registry Value: 0  83    (No malicious items detected)  84     85    Registry Data: 0  86    (No malicious items detected)  87     88    Data Stream: 0  89    (No malicious items detected)  90     91    Folder: 0  92    (No malicious items detected)  93     94    File: 1  95    Backdoor.NanoCore, C:\WINDOWS\SYSTEM32\MBPPCN64.DLL, Quarantined, 3700, 840328, 1.0.26771, , ame,   96     97    Physical Sector: 0  98    (No malicious items detected)  99     100    WMI: 0  101    (No malicious items detected)  102     103     104    (end)

 

Link to post
Share on other sites
1 minute ago, joedf said:

Woops wrong section.

All good. I have moved it to the right area.

Link to post
Share on other sites

Thank you, I've reattached the log, file hash and quarantined file. I'm not sure how I pasted that all mashed up.

    File: MBPPCn64.dll
  CRC-32: 46b24f7f
     MD5: f63631c6d92033403eb7fad245439f38
   SHA-1: 75cdbdaad6a2467c83ced4213f603688a1963e22
 SHA-256: 2e5cfa02cda88fa4a206dab9ab06925fd743adf9a57f77a344473790987c8af0
 SHA-512: 5b51efb3210b1a4e83a71972a1a6f7f8609e6846da4beef0d74c5f88c17aae24fcf731fcccff952718f71837169c05cbed423ec99e20f6ab5fc787e4f9c0c8a0

threat_detected_01.txt MBPPCn64.dll.zip

Link to post
Share on other sites
Just now, gkidd said:

Multiple Backdoor.NanoCore alerts in my organization as well.   Started this morning after daily scan.

Good to hear I'm not alone. I freaked out. I haven't downloaded any shady email attachments or anything like that...

Link to post
Share on other sites

I'm with you Joe - same files/keys as you have listed above.  Multiple endpoints on various network segments = exact same alarm.    

Link to post
Share on other sites

Weird... I did a restore and did a manual scan of MBPPCn64.dll ... it came back negative now.

 

---

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/13/20
Scan Time: 11:40 AM
Log File: 29ba1f72-c51f-11ea-b0ea-34f39a9233f7.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.955
Update Package Version: 1.0.26775
License: Free

-System Information-
OS: Windows 10 (Build 18362.900)
CPU: x64
File System: NTFS
User: FROST-PC\Frost

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 1
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 0 min, 11 sec

-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.