MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d21886bb28a6dfb2f331cb95cf7b74dbb5ae79dc70bbcd7451f15afd53999e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d21886bb28a6dfb2f331cb95cf7b74dbb5ae79dc70bbcd7451f15afd53999e1
SHA3-384 hash: 143845d1db840fd644fe055bd0c0e4870dd63ea149a74287ee24e40f3a2ca36c8f68f97a22c5dfc21ef4a6455de629b3
SHA1 hash: 7965afabb556b9e84a9e6cc88320db379b757cb6
MD5 hash: fd44c79512a3adf2382f10847d21e478
humanhash: kilo-uranus-eighteen-lactose
File name:xppp.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:463'360 bytes
First seen:2020-05-26 17:22:20 UTC
Last seen:2020-06-10 12:28:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Rj8IgxtJF9ZYXDu8sVAfEHoELYgqH/9YZzghujTrJbFdGJ+QeTOl2UbAaDc7zzHC:aYqVABEU9ulZveNuOZoTt458XyQLV8
Threatray 1'359 similar samples on MalwareBazaar
TLSH 80A48D3E5B489FB8D637A370850616D38220F8C76E91F73F5F9078959B0198C0DEAA97
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: mail1.point-one.com
Sending IP: 104.145.3.123
From: Michael Gerrand <Info@BritCycle.com>
Reply-To: prepre080@vivaldi.net
Subject: RESENDING: Quotation Needed
Attachment: PO_260520.doc

NanoCore payload URL:
http://lightstyle.com.my/xppp.exe

NanoCore RAT C2:
bright1.awsmppl.com:4777 (79.134.225.89)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
3
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.SHS.13118.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 17:35:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
25 of 30 (83.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
4dc229e375efa1e86ede0cf29688dff17e3ad50eee49e6b81991c7591542454e
NanoCore
73cc33d200ce22012733ea7c3fa8d03ef3ea65164497314d7d05b2992892d4e0
NanoCore
8ee9784e9c874e7b40e667115655e0965420c5233238ca1499cdd7c25c79dc6c
NanoCore
963ef1f1d728673b7769357ef250a53cf202abf7748fb780158e8b642aa63ba8
NanoCore
b8dbe674fabd57154010f3bf9d145109c4572f013f07f5be9afeb011b3e583c4
NanoCore
c0722d0e58ef57301d0883dcddf27c8eed901c9a01b186e6b400c48f7ff6a832
NanoCore
d451e3e7766abda3a6406d3e52ed8d123daa52409bb7905a44694855fa923888
NanoCore
ec9d801b120855fe926902234e77c60d5a0c8a115a977fe49e6b6b1539e0db51
NanoCore
f0caa55fec8b5afbb9799bc2bcd8d965ef420e1138e38ef94c65a6a2037042a3
NanoCore
f2535caecce2737920213eb3f84ad8f9cb783d4562303bfad9bcdbb7749d1c01
NanoCore
+ 1'349 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-mtpewkz3kn/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
bright1.awsmppl.com:4777
ml.warzonedns.com:4777
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Word file doc 963ef1f1d728673b7769357ef250a53cf202abf7748fb780158e8b642aa63ba8

NanoCore

Executable exe 1d21886bb28a6dfb2f331cb95cf7b74dbb5ae79dc70bbcd7451f15afd53999e1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/369578/
  
Dropped by
SHA256 963ef1f1d728673b7769357ef250a53cf202abf7748fb780158e8b642aa63ba8
  
Dropped by
MD5 523873f689cda6ab97b53a3a3ec3d629
  
Delivery method
Distributed via web download

Comments