MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f9b2ff85d8fdeb4795e6cbee63e908cba9d205e835465ae80025a4d0d136c04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f9b2ff85d8fdeb4795e6cbee63e908cba9d205e835465ae80025a4d0d136c04
SHA3-384 hash: ed5fb061d9fefec0a4ef22b68441e3058bc7378da167d388ba53da71f3019d50211c177f37aad6c51c76e4a014248dfc
SHA1 hash: 615c6fbf899c80373d7b8800c322c077efc8a10e
MD5 hash: 922d12b4d7aa0700d3546d856e36947d
humanhash: snake-delaware-finch-twenty
File name:862020,pdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:632'832 bytes
First seen:2020-08-06 06:56:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:EZgD7+1lg53Cub61XGXhbYZ41VNHWeYUxBMbBUCTBQ:qg+1uAJYVYZ4DN3MVUwi
Threatray 1'113 similar samples on MalwareBazaar
TLSH 08D4BD01B68589C6C7289E370560802056F1AE3E7931EE936AC4329B78FF7F81D1DED6
Reporter abuse_ch
Tags:exe NanoCore


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: web72.smartstrategies.gr
Sending IP: 88.99.208.204
From: Jaxon Chew Cheng Soon <Jaxon.CHEW@range.com.sg>
Subject: Range Enquiry - Request for Quote
Attachment: 862020,pdf.zip (contains "862020,pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40216/
Detection(s):
SecuriteInfo.com.Artemis922D12B4D7AA.21663.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/412368
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 258434 Sample: 862020,pdf.exe Startdate: 06/08/2020 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 10 other signatures 2->51 8 862020,pdf.exe 7 2->8         started        12 MSBuild.exe 2 2->12         started        process3 file4 31 C:\Users\user\AppData\Roaming\qXawsSbB.exe, PE32 8->31 dropped 33 C:\Users\...\qXawsSbB.exe:Zone.Identifier, ASCII 8->33 dropped 35 C:\Users\user\AppData\Local\...\tmp9098.tmp, XML 8->35 dropped 37 C:\Users\user\AppData\...\862020,pdf.exe.log, ASCII 8->37 dropped 53 Writes to foreign memory regions 8->53 55 Injects a PE file into a foreign processes 8->55 14 MSBuild.exe 8 8->14         started        19 schtasks.exe 1 8->19         started        21 MSBuild.exe 8->21         started        23 conhost.exe 12->23         started        signatures5 process6 dnsIp7 41 billionaire.ddns.net 79.134.225.122, 3734 FINK-TELECOM-SERVICESCH Switzerland 14->41 39 C:\Users\user\AppData\Roaming\...\run.dat, data 14->39 dropped 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->43 25 schtasks.exe 1 14->25         started        27 conhost.exe 19->27         started        file8 signatures9 process10 process11 29 conhost.exe 25->29         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3f9b2ff85d8fdeb4795e6cbee63e908cba9d205e835465ae80025a4d0d136c04/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 06:58:09 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h6ns76c5r7pli6k6ns7ompuqrs5j2ic6qnkglluaajne2ditnqca._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
036c0fbb1ffb23e9bfd4b4834a396d79ec319078865adf3ef75418450cf9fd18
NanoCore
0bfd3da17d4be33712b7b66d918fa6d911d31529cb24c9c81c042e3f65c1de2f
NanoCore
11e8dbf88b15aa6f09d5f7d9fffd3f333ec9a84b6bb9b9bb8c69dad6f5890603
NanoCore
24bbbef09b9e58d6da0fe8ae7dbfbc093dc5287cb26dc98e948684a1fc442642
NanoCore
3cb221973d52d12fc900f37496a9c5f77b30da63886a0f7d54111982c00e872b
NanoCore
404f05e16218e8fd6be8ddbe8b1e902bd523b21213928f2f595b29e0fce42a5a
NanoCore
56a37f303bc905ace197941dcc0519f3880baffe10c6d3ecfc80bbff1aae9059
NanoCore
d43cf8e5ba941f74e342991981490516814e671fb06595ca8fb0b6770e083b84
NanoCore
e29e9d9beb5ce8187decf038cdc0b1d3102b4cfe43715a3b4f934098a943ebed
NanoCore
f19e8ff99a9037ceaf1e4bb1c3ea78529c755fc6dd0be5f26fd8b7d1269d712b
NanoCore
+ 1'103 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore evasion
Link:
https://tria.ge/reports/200806-4p26jpp946/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
billionaire.ddns.net:3734
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f9b2ff85d8fdeb4795e6cbee63e908cba9d205e835465ae80025a4d0d136c04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip ae1d222c98ee381a766ce7359ac369158917434bb83f0697a0fc0413f7fb0c95

NanoCore

Executable exe 3f9b2ff85d8fdeb4795e6cbee63e908cba9d205e835465ae80025a4d0d136c04

(this sample)

  
Dropped by
MD5 09e441499cb03bc3b8d99ac22963f847
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/40216/
  
Dropped by
SHA256 ae1d222c98ee381a766ce7359ac369158917434bb83f0697a0fc0413f7fb0c95

Comments