MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fd9f9784c8b9678b08dcb94886985fa7835d0135ea12689082e0bf604c19bbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	2fd9f9784c8b9678b08dcb94886985fa7835d0135ea12689082e0bf604c19bbb
SHA3-384 hash:	314d23989887571f4ea36b77c81a08ba9c093f7a2bc6ae5643e341ebaa81c32ec57fc2bc9c620f81a55608203b016eb3
SHA1 hash:	99c7d0ad63c2bca8bb61dbc4fa65c01dfad9cce4
MD5 hash:	ea9139664e5a3182dbafcdc476785de1
humanhash:	hot-yankee-thirteen-emma
File name:	SCAN_DOCUMENT.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	850'432 bytes
First seen:	2020-07-08 15:05:11 UTC
Last seen:	2020-07-08 16:06:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:8h4MNgC7slhtWa998LshhGKkJqq4KslhtWW:Q3ghhtWakLshFqShtW
Threatray	1'964 similar samples on MalwareBazaar
TLSH	0105C0357BA19B01C37E4F32CE7681009E3695A76E06E29B6EDD14EE895B7082E07713
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: server.sippec.ci
Sending IP: 108.179.222.249
From: SIPPEC GMBH <assohoumathias@sippec.ci>
Reply-To: cudillojapzon@hotmail.com
Subject: Aw: SWIFT CONFIRMATION
Attachment: SCAN_DOCUMENT.r11 (contains "SCAN_DOCUMENT.exe")

NanoCore RAT C2:
frank3000.ddns.net:4983 (194.5.99.14)

Pointing to nVpn:

% Information related to '194.5.99.0 - 194.5.99.255'

% Abuse contact for '194.5.99.0 - 194.5.99.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.99.0 - 194.5.99.255
netname: INTER_CLOUD_SERVICES_RUSSIA
admin-c: ICTR1-RIPE
tech-c: ICTR1-RIPE
org: ORG-ICR2-RIPE
country: RU
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-07-20T20:42:53Z
last-modified: 2020-07-04T13:20:18Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/23149/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.372.11752.6505.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file in the %AppData% subdirectories

DNS request

Using the Windows Management Instrumentation requests

Sending a TCP request to an infection source

Enabling autorun with Startup directory

Unauthorized injection to a system process

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/2fd9f9784c8b9678b08dcb94886985fa7835d0135ea12689082e0bf604c19bbb/

Threat name:

ByteCode-MSIL.Trojan.Masslogger

Status:

Malicious

First seen:

2020-07-08 15:07:04 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=f7m7s6cmrolhrmenzokiq2mf7j4dluatl2qsnciifyf7mbgbto5q._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

4b540d8dbf441994703593fb0d77bfecde0ea29daffd43b721de2bed1b9e497c

NanoCore

4fa82bcc428147d23e5abc86fb9bfdc61829d91094659e74250ac43ab9a73ab4

NanoCore

6343bc22fcb1a909e908ca7c0fa90d34e09f669dbd72a69e75ff8af7a9d217eb

NanoCore

69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c

NanoCore

832782af8ac7a682f48d5a00f549a5474d6b2524386c8826eae41982db8597c3

NanoCore

8c71aca391fbd24fb5400cbc0cea7bfc424dfac861cbfebbac25393e8b21bbf4

NanoCore

93333039cc8d0939fbd91cb9d6b4a49d654460b0559bc8526bbe57716da0c121

NanoCore

be4a89687a7d185648c2e9341a18b37d06e71b06cbbbb8b3d2f6e0bc215a8548

NanoCore

f9397a0438f1e3a8d03aa326dc4910482df49dd295228d9a4dda1f55247fd6e3

NanoCore

+ 1'954 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200708-cwfkwy7kfs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

frank3000.ddns.net:4983

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

859171e00fd196e0e2f8ca7903e2f98d

NanoCore

exe 2fd9f9784c8b9678b08dcb94886985fa7835d0135ea12689082e0bf604c19bbb

(this sample)

Dropped by

MD5 859171e00fd196e0e2f8ca7903e2f98d

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/23149/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample