MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35b150d62d867c78b998721316d307a77d0d3625b5a314bfc1d16d8c2347bb22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35b150d62d867c78b998721316d307a77d0d3625b5a314bfc1d16d8c2347bb22
SHA3-384 hash: 9acf866220f08a72357dc42d19b3071624050a3402f8effd851731493ccb42367cdcf71e51bc3b934985dd1cfa419afb
SHA1 hash: 10e45e7a3eaae06586a768de7c17a36d0dfc510a
MD5 hash: 00f1eca79a7182fa6b69d34bf81cdf07
humanhash: pasta-charlie-thirteen-aspen
File name:Alice Rotich CV.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:894'976 bytes
First seen:2020-07-31 07:37:43 UTC
Last seen:2020-08-03 08:31:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bd44fc7474cd1f02fae5c94314314eb4 (3 x Loki, 1 x AgentTesla, 1 x NanoCore)
ssdeep 12288:uesfUazLqCwtZKGdotXPk0XvuZFuj905RzZZaGkzlDajT1HxRnwUEEjZ:uzsEQD2Pk60A8NfmxiJgEjZ
Threatray 3'360 similar samples on MalwareBazaar
TLSH 0B159E22B2D04833C3631A7D8F6B976CA936BD532D25AA866BF50C4C5F396407B35393
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: yahoo.com
Sending IP: 45.143.222.165
From: alice rotich <jematiarotich78@yahoo.com>
Subject: Applying for Sales Executive Position
Attachment: Alice Rotich CV.zip (contains "Alice Rotich CV.exe")

NanoCore RAT C2:
wazzy.ddns.net:1716 (79.134.225.75)

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35934/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/404955
Signature
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 254729 Sample: Alice Rotich CV.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 87 wazzy.ddns.net 2->87 89 g.msn.com 2->89 91 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->91 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Sigma detected: Scheduled temp file as task from temp location 2->101 103 10 other signatures 2->103 11 Alice Rotich CV.exe 2->11         started        14 Alice Rotich CV.exe 2->14         started        16 dhcpmon.exe 2->16         started        18 dhcpmon.exe 2->18         started        signatures3 process4 signatures5 107 Maps a DLL or memory area into another process 11->107 20 Alice Rotich CV.exe 1 14 11->20         started        25 Alice Rotich CV.exe 11->25         started        27 Alice Rotich CV.exe 14->27         started        29 Alice Rotich CV.exe 3 14->29         started        31 dhcpmon.exe 16->31         started        33 dhcpmon.exe 3 16->33         started        35 dhcpmon.exe 18->35         started        37 dhcpmon.exe 18->37         started        process6 dnsIp7 93 wazzy.ddns.net 79.134.225.75, 1716, 49709, 49710 FINK-TELECOM-SERVICESCH Switzerland 20->93 77 C:\Program Files (x86)\...\dhcpmon.exe, PE32 20->77 dropped 79 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 20->79 dropped 81 C:\Users\user\AppData\Local\...\tmp3E68.tmp, XML 20->81 dropped 83 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 20->83 dropped 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->105 39 schtasks.exe 1 20->39         started        41 schtasks.exe 1 20->41         started        43 Alice Rotich CV.exe 27->43         started        85 C:\Users\user\...\Alice Rotich CV.exe.log, ASCII 29->85 dropped 46 dhcpmon.exe 31->46         started        48 dhcpmon.exe 35->48         started        file8 signatures9 process10 signatures11 50 conhost.exe 39->50         started        52 conhost.exe 41->52         started        109 Maps a DLL or memory area into another process 43->109 54 Alice Rotich CV.exe 43->54         started        56 Alice Rotich CV.exe 43->56         started        58 dhcpmon.exe 46->58         started        60 dhcpmon.exe 46->60         started        62 dhcpmon.exe 48->62         started        64 dhcpmon.exe 48->64         started        process12 process13 66 Alice Rotich CV.exe 54->66         started        69 dhcpmon.exe 58->69         started        signatures14 95 Maps a DLL or memory area into another process 66->95 71 Alice Rotich CV.exe 66->71         started        73 Alice Rotich CV.exe 66->73         started        75 dhcpmon.exe 69->75         started        process15
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/35b150d62d867c78b998721316d307a77d0d3625b5a314bfc1d16d8c2347bb22/
Threat name:
Win32.Trojan.DataStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-31 04:07:01 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
37 of 48 (77.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gwyvbvrnqz6hromyoijrnuyhu56q2nrfwwrrjp6b2fwyyi2hxmra._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
3a8a04925d66b89b7cdb459aa6fc33e5132c447efcc541ab86e17b74f64a8287
NanoCore
48f66677fec3c6d3734c439ed9b2fd29cb26a155e8ccb28f30c1b2b65a4878d8
NanoCore
49411c035bce033585bf1ab27827abf5ead0c9031064848e08014fb1aee182b3
NanoCore
5901a8e4a36574b8ca6cb3c899e64cdfc27395de606cd4a512431e6dd827196f
NanoCore
5e32d07c21d72fb6e5b1c48c92ab18268ff5121b8e2ccfda9740152d896e30c2
NanoCore
76b62ef8530770a98200250ce45c56647bab874f0bd1c2a5daa074e570a7d204
NanoCore
aa7160304a2e8d87bf5b0f99977cc2e216db9bf801c435a6439990814bf2bb7b
NanoCore
b8a6818ebadd26de05a88a3938a3fc3ee593184be5448af728f5ff07e7ca2ddc
NanoCore
df191b78f2797a4ffd5a770c5ca3a64e8aa43d32645ed2c6c58eda4a7d4550e5
NanoCore
e4a593b84876eae3470ee1565480259eb2257e44a861ea9f24609105dc4083dc
NanoCore
+ 3'350 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx persistence evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200731-kg8yq3wyrs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
UPX packed file
NanoCore
Malware Config
C2 Extraction:
wazzy.ddns.net:1716
79.134.225.75:1716
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35b150d62d867c78b998721316d307a77d0d3625b5a314bfc1d16d8c2347bb22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip a3489dbc31e184da8e310e92f645b1f2b6dfe92de7fde768781500978c84214d

NanoCore

Executable exe 35b150d62d867c78b998721316d307a77d0d3625b5a314bfc1d16d8c2347bb22

(this sample)

  
Dropped by
MD5 6b1a3db832faa757821eea3ddd210fce
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35934/
  
Dropped by
SHA256 a3489dbc31e184da8e310e92f645b1f2b6dfe92de7fde768781500978c84214d

Comments