MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06045ab62eb005d02772416469adeae707f67d19f0b587d3b57c340df4016dc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	06045ab62eb005d02772416469adeae707f67d19f0b587d3b57c340df4016dc2
SHA3-384 hash:	12321b211b05b2300bddd84ae7bb89e1fd1ff9b61f25cb702743ff8ab8cc62ec94bbd1fdea386f487a4980b4f3c69d0b
SHA1 hash:	4b005532ec02ca202ecee5a35afb324173105d5d
MD5 hash:	3c45c9d6a53d68de75d2253a32fd2501
humanhash:	orange-river-mars-oxygen
File name:	854_07_07_2020_REF01.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	800'768 bytes
First seen:	2020-07-07 17:24:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3c1493e9364225c57af40c52186c008b (18 x AgentTesla, 7 x Loki, 3 x NanoCore)
ssdeep	12288:GxK33heNnvkxmaaeLawFMFnu93H7DMxFQhGkvubFA/MSr/onzKFfMC:ZnhUv6JaAj37DMkckrf7onuFfMC
Threatray	3'197 similar samples on MalwareBazaar
TLSH	7105BF26F2D07C33D16B163D8D3B6675A83AFD412A249A462BF4DC789F3864138352E7
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: ferrospg.com
Sending IP: 45.143.222.165
From: Alan <sales@amscologistics.co.uk>
Subject: REQUEST FOR QUOTE
Attachment: 854_07_07_2020_REF01.pdf 1.zip (contains "854_07_07_2020_REF01.exe")

NanoCore RAT C2:
izu2128.hopto.org:2128 (185.244.29.131)

Pointing to nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/22372/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Win32.Herz.B.18879.21615.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file in the %AppData% subdirectories

Creating a file in the Program Files subdirectories

Creating a file in the %temp% directory

Launching a process

Deleting a recently created file

DNS request

Connection attempt

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun with Startup directory

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/06045ab62eb005d02772416469adeae707f67d19f0b587d3b57c340df4016dc2/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-07 17:26:08 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aycfvnrowac5aj3sifsgtlpk44d7m7iz6c2ypu5vpq2a35abnxba._file

Verdict:

malicious

Label(s):

nanocorerat

hawkeyekeylogger

NanoCore

79298aefcdaa74aeb60984fade623a91a84f0ab7fb5f3df342b86a5bb5efacf8

NanoCore

7c4ec41185be3d57adbaa0bfcd8b517aa2cabbf40320e2de0dd1b4ad73aaab36

NanoCore

9ac6f36e933607b09a00eb16eb67acee68fdb8ee460f556101d742dee7b7c6cc

NanoCore

a087e90ae52431a64c445ab5cb75d6672970e0ecaedc52be5ae89ab873c64fa4

NanoCore

c45cbf7de196d50a6eb860e3d8dbfdf8f3699c3e62df58f63bd1c6c176c9ead1

NanoCore

d7aa2665c67f34ae4f7bc74803878b94c8a4d30685a8a49788deb58601495faf

NanoCore

e0e2b9ccdeafb58afceb0e90a9365112b5cb9446054e06b18e9ef51841e6f36c

NanoCore

e3574b9f84ca8cf778a664b60c2d6fde9049c51a384f5fbe49003fe806afd966

NanoCore

f6e1d512e3da60314732745faefb71123ec48154575d3b621546fc55e78e7a3c

NanoCore

+ 3'187 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore persistence

Link:

https://tria.ge/reports/200707-tvd9dgzche/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run entry to start application

UPX packed file

NanoCore

Malware Config

C2 Extraction:

izu2128.hopto.org:2128
185.244.29.131:2128

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/