MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dc229e375efa1e86ede0cf29688dff17e3ad50eee49e6b81991c7591542454e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	4dc229e375efa1e86ede0cf29688dff17e3ad50eee49e6b81991c7591542454e
SHA3-384 hash:	22a5068b555cf176c88bbf61d5f5d8ef2762ee9c1da69f819dc1a1997d46f68603efca9612e8288fc3bed0102b32bf2d
SHA1 hash:	a64e6956d5798274fff492d2a8b136dc19056716
MD5 hash:	bf04cf33b0f3d7017be1f9be03eb7e40
humanhash:	music-low-iowa-florida
File name:	snllwd.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	317'952 bytes
First seen:	2020-07-01 18:24:32 UTC
Last seen:	2020-08-02 07:34:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:uTcuvGj7NGU4uXdAZgzooEowxpPIUiF2cXyQYCV8:AvMGUbNAZgz8pPYTXyQLV8
Threatray	1'257 similar samples on MalwareBazaar
TLSH	14640149FF88D452CA9E4274C092C2706390CE3B7643D31BA9867E8F7D633CA564B5A7
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: semf02.mfg.siteprotect.com
Sending IP: 64.26.60.165
From: Laura Lindsay <Info@campingmarinalouiseville.com>
Reply-To: prepre080@vivaldi.net
Subject: RESENDING: Quotation Needed
Attachment: PO01072020.xlsm

NanoCore payload URL:
http://mrgeek.pk/snllwd.exe

NanoCore RAT C2:
gold1.dnsupdate.info:4777 (79.134.225.84)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/18263/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.276.5130.21623.UNOFFICIAL

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/4dc229e375efa1e86ede0cf29688dff17e3ad50eee49e6b81991c7591542454e/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-07-01 18:26:04 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jxbcty3v56q6q3w6btzjncg76f7dvvio5ze6noazshdvsfkcivha._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

1d21886bb28a6dfb2f331cb95cf7b74dbb5ae79dc70bbcd7451f15afd53999e1

NanoCore

4cc5f468994fd62cc832482404cfc7e45232f059b9d355d3df41535a170b3470

NanoCore

5b27db23756f4ddbd30a3875e30cdbff6cdcc1650a46e3c5a032da6f85cfdceb

NanoCore

8ee9784e9c874e7b40e667115655e0965420c5233238ca1499cdd7c25c79dc6c

NanoCore

970f7d03e10292edf2d418d3f2c87a32a11c583ecf7c803917070bdbf136b0b1

NanoCore

a032cd20c067b83f1cab391af7671f7ae669de96dbf995f08580b14d218aeccc

NanoCore

e583f88a5a2f0078444fa97cfd8b4357bce832202ec6140ade6239e7687c1850

NanoCore

f0cbd144abefbde7656a8ab6733b337165ea5929fd1829f179e8a852275d059f

NanoCore

fcfc89b5ad3b4e406664cdd8408f56fe8b0c9a9eeb50fc821f2e89a9785c9f3e

NanoCore

+ 1'247 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200701-p962a8zyke/

Behaviour

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Drops startup file

Loads dropped DLL

Executes dropped EXE

NanoCore

Malware Config

C2 Extraction:

gold1.dnsupdate.info:4777
gold080.ooguy.com:4777

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/