MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a8a04925d66b89b7cdb459aa6fc33e5132c447efcc541ab86e17b74f64a8287. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: 3a8a04925d66b89b7cdb459aa6fc33e5132c447efcc541ab86e17b74f64a8287
SHA3-384 hash: 6a02317cea911e4fa2d170c32d45183302409c6d176de8552d5917a7d044abf66588116395d2f19b1c4aa6ee4c948baf
SHA1 hash: c3412e74e5a797d3d087d05fcf7e03c03e960e1a
MD5 hash: c85493fbd869baf0b92c89a09604562d
humanhash: emma-white-summer-speaker
File name:c85493fbd869baf0b92c89a09604562d.exe
Download: download sample
Signature NanoCore
File size:727'552 bytes
First seen:2020-07-31 08:31:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e374e6a01735b73e577e6a14415ed0c
ssdeep 12288:LCVMTcr5w3T2qnLaKr1K2KXIN0h13i4ywIgnI7od2DLCSnK70Jc+NjTbV/Pq9Rid:WiQOD2qr1K2rNsU4nIn++NLV/YRi4iJV
TLSH 20F4AF33A2E04436D133163F9C1B579DA83ABD1C292459462BE52C4C9F3977D38EA29F
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT


Twitter
@abuse_ch
NanoCore RAT C2:
ndlovusamkello.hopto.org:3940 (185.140.53.132)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU3
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-07-28T20:56:03Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
30
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Creates files in alternative data streams (ADS)
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: NanoCore
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255240 Sample: 2KGU6Ue1fD.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 74 ndlovusamkello.hopto.org 2->74 76 g.msn.com 2->76 78 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->78 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Sigma detected: NanoCore 2->86 88 4 other signatures 2->88 15 2KGU6Ue1fD.exe 2->15         started        18 wscript.exe 1 2->18         started        signatures3 process4 signatures5 112 Queues an APC in another process (thread injection) 15->112 114 Contains functionality to detect sleep reduction / modifications 15->114 20 notepad.exe 5 15->20         started        24 hdjfksfj.exe 18->24         started        process6 file7 66 C:\Users\user\AppData\...\hdjfksfj.exe, PE32 20->66 dropped 68 C:\Users\...\hdjfksfj.exe:Zone.Identifier, ASCII 20->68 dropped 70 C:\Users\user\AppData\Roaming\...\web.vbs, ASCII 20->70 dropped 94 Creates files in alternative data streams (ADS) 20->94 96 Drops VBS files to the startup folder 20->96 26 hdjfksfj.exe 20->26         started        98 Maps a DLL or memory area into another process 24->98 29 hdjfksfj.exe 24->29         started        31 hdjfksfj.exe 3 24->31         started        signatures8 process9 file10 102 Detected unpacking (changes PE section rights) 26->102 104 Detected unpacking (creates a PE file in dynamic memory) 26->104 106 Detected unpacking (overwrites its own PE header) 26->106 108 2 other signatures 26->108 34 hdjfksfj.exe 8 26->34         started        39 hdjfksfj.exe 26->39         started        41 hdjfksfj.exe 29->41         started        72 C:\Users\user\AppData\...\hdjfksfj.exe.log, ASCII 31->72 dropped signatures11 process12 dnsIp13 80 ndlovusamkello.hopto.org 185.140.53.132, 3940, 49738, 49739 DAVID_CRAIGGG Sweden 34->80 64 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 34->64 dropped 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->90 92 Maps a DLL or memory area into another process 41->92 43 hdjfksfj.exe 41->43         started        45 hdjfksfj.exe 2 41->45         started        file14 signatures15 process16 process17 47 hdjfksfj.exe 43->47         started        signatures18 116 Maps a DLL or memory area into another process 47->116 50 hdjfksfj.exe 47->50         started        52 hdjfksfj.exe 47->52         started        process19 process20 54 hdjfksfj.exe 50->54         started        signatures21 100 Maps a DLL or memory area into another process 54->100 57 hdjfksfj.exe 54->57         started        59 hdjfksfj.exe 54->59         started        process22 process23 61 hdjfksfj.exe 57->61         started        signatures24 110 Maps a DLL or memory area into another process 61->110
Threat name:
Win32.Trojan.DataStealer
Status:
Malicious
First seen:
2020-07-31 08:05:37 UTC
AV detection:
29 of 48 (60.42%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Loads dropped DLL
Drops startup file
Executes dropped EXE
UPX packed file
NanoCore
Malware Config
Extraction:
ndlovusamkello.hopto.org:3940
185.140.53.132:3940
Threat name:
Tinba
Score:
1.00

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 3a8a04925d66b89b7cdb459aa6fc33e5132c447efcc541ab86e17b74f64a8287

(this sample)

  
Delivery method
Distributed via web download

Comments