MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 404f05e16218e8fd6be8ddbe8b1e902bd523b21213928f2f595b29e0fce42a5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 6

Intelligence 6 IOCs YARA 5 File information Comments

SHA256 hash:	404f05e16218e8fd6be8ddbe8b1e902bd523b21213928f2f595b29e0fce42a5a
SHA3-384 hash:	d8479d05009402e7a9611fc8fc624c909d7c8825bfb59ef6d28d13991ca6beb0cf62d9c5fdcb2a4a0cf876b63baa7f3d
SHA1 hash:	29e0bbc464c26a7aa787e7c93eb42f3393c2fa20
MD5 hash:	c51f9c4171e02255c02fec8424e2d8d5
humanhash:	mars-solar-lemon-oklahoma
File name:	82100029.2020.scr
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'078'005 bytes
First seen:	2020-06-16 11:00:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep	24576:6NA3R5drXdtecfZeVCU/e2PHBiqeJ3fFQYcGwXJXV:z5beg8heCiqAv6lBV
Threatray	1'447 similar samples on MalwareBazaar
TLSH	AE351202F7C684B2E57219324A3AB765A93D79301E24CE2FB7C05D2DEA71590E634B73
Reporter	abuse_ch
Tags:	NanoCore nVpn RAT scr

abuse_ch

NanoCore RAT C2:
stronggods.ddns.net:7590 (79.134.225.111)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/8235/

Detection(s):

SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Nanocore

Status:

Malicious

First seen:

2020-06-15 20:35:31 UTC

AV detection:

26 of 31 (83.87%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ibhqlylcddup227i3w7iwhuqfpkshmqscoji6l2zlmu6b7hefjna._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

2a24ef9460476dc67c3e4f5fc17ddcf582e556def4278f8760d27f5b6e0735ca

NanoCore

6a0649a94dadf6581c913e92f01d0d0f2414b6fb7792f36250bd565b4b6ce481

NanoCore

a684a7d895b3f2ca56b7f169e595012c7aa82a66d58f91ef9f97cbe01134e549

NanoCore

ae9576df43dd4f5e8d48c6774e7bbbd1a6baaad219c4022dd49af9fdaec57d61

NanoCore

c2c3851dfab3b0b959145307759d5ed1cb64d92b7e0af87b79f0df0ee7b71e38

NanoCore

e777a395f2d28d4b57113b46bb4af52ec1e6d1d48342d0fb24a142df1fffbdc7

NanoCore

f163f4788da0d445dec687df7d215b6af3c4bea10589fa268e6aff20ff335510

NanoCore

f4cac50207b981342657091f9780a78c6ca6f4ebbf24c132d18dad13beba9864

NanoCore

f5b99bdcb3a09ccef9455e82dff1902b6913280d293be51d87de78fc418e9f72

NanoCore

+ 1'437 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

persistence evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200624-zef39llv22/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run entry to start application

Checks whether UAC is enabled

Loads dropped DLL

Executes dropped EXE

NanoCore

Malware Config

C2 Extraction:

stronggods.ddns.net:7590
79.134.225.111:7590

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

exe 404f05e16218e8fd6be8ddbe8b1e902bd523b21213928f2f595b29e0fce42a5a

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/8235/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample