MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53f8cc2c02f01b2b96309392a26f52d45ad876f26074607961fde7661d8f6c5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53f8cc2c02f01b2b96309392a26f52d45ad876f26074607961fde7661d8f6c5f
SHA3-384 hash: f88012f44d95dab49088f340b6def20c7821709083b17aa5625669cd43dec7ecd8671e3e5d079fd4412c48d306b8e37d
SHA1 hash: b4aa108f092d2a614d565d60688492461b572655
MD5 hash: 5eba5199c094b2d0a53be84f54621af0
humanhash: michigan-vermont-asparagus-romeo
File name:Scan fxpagment070720.scr
Download: download sample
Signature NanoCore
Create hunting rule
File size:769'024 bytes
First seen:2020-07-07 12:54:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b1319cb6f7a0fd58f391eaf297f9d0e (11 x AgentTesla, 5 x Loki, 1 x 404Keylogger)
ssdeep 12288:KSRWdeE6Z9P/LH0DacqAfECBUGfAZEt9vINgivTmC62WuXp6xZ1GzU8LXgluUYyi:9Qh6Z9PTADftOuuTxeZ1GguUTeCBm
Threatray 2'655 similar samples on MalwareBazaar
TLSH CEF49E12F2A00432E13219385C2B9678AA39BD503DB85D765BE77F4CFF79243346A19B
Reporter abuse_ch
Tags:NanoCore nVpn RAT scr


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: mail.webdesigners.ch
Sending IP: 193.138.215.176
From: MULTIBANCO <info@multibanco.pt>
Reply-To: aoswald@mail.com
Subject: FORMA DE PAGAMENTO
Attachment: Scan fxpagment070720.jpg.img (contains "Scan fxpagment070720.scr")

NanoCore RAT C2:
newjege.duckdns.org:2025 (79.134.225.74)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22287/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.12662.24668.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
DNS request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/383587
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 243944 Sample: Scan fxpagment070720.scr Startdate: 07/07/2020 Architecture: WINDOWS Score: 100 124 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 14 other signatures 2->130 10 Scan fxpagment070720.exe 2->10         started        13 mozila.exe 2->13         started        15 wpasv.exe 2->15         started        17 2 other processes 2->17 process3 signatures4 142 Writes to foreign memory regions 10->142 144 Allocates memory in foreign processes 10->144 146 Queues an APC in another process (thread injection) 10->146 19 notepad.exe 5 10->19         started        148 Maps a DLL or memory area into another process 13->148 23 mozila.exe 13->23         started        25 mozila.exe 3 13->25         started        27 notepad.exe 15->27         started        29 notepad.exe 17->29         started        31 mozila.exe 17->31         started        process5 file6 92 C:\Users\user\AppData\Roaming\...\mozila.exe, PE32 19->92 dropped 94 C:\Users\user\...\mozila.exe:Zone.Identifier, ASCII 19->94 dropped 132 Creates files in alternative data streams (ADS) 19->132 134 Drops VBS files to the startup folder 19->134 33 mozila.exe 19->33         started        36 mozila.exe 23->36         started        96 C:\Users\user\AppData\...\mozila.exe.log, ASCII 25->96 dropped 98 C:\Users\user\AppData\Roaming\...\chrome.vbs, ASCII 27->98 dropped 38 mozila.exe 27->38         started        40 mozila.exe 29->40         started        136 Maps a DLL or memory area into another process 31->136 42 mozila.exe 31->42         started        44 mozila.exe 31->44         started        signatures7 process8 signatures9 114 Multi AV Scanner detection for dropped file 33->114 116 Detected unpacking (changes PE section rights) 33->116 118 Detected unpacking (creates a PE file in dynamic memory) 33->118 122 3 other signatures 33->122 46 mozila.exe 1 19 33->46         started        51 mozila.exe 33->51         started        120 Maps a DLL or memory area into another process 36->120 53 mozila.exe 36->53         started        55 mozila.exe 36->55         started        57 mozila.exe 38->57         started        59 mozila.exe 38->59         started        61 mozila.exe 40->61         started        63 mozila.exe 40->63         started        65 mozila.exe 42->65         started        process10 dnsIp11 108 newjege.duckdns.org 79.134.225.74, 2025, 49722 FINK-TELECOM-SERVICESCH Switzerland 46->108 100 C:\Program Files (x86)\...\wpasv.exe, PE32 46->100 dropped 102 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 46->102 dropped 104 C:\Users\user\AppData\Local\...\tmp5829.tmp, XML 46->104 dropped 106 C:\...\wpasv.exe:Zone.Identifier, ASCII 46->106 dropped 110 Hides that the sample has been downloaded from the Internet (zone.identifier) 46->110 67 schtasks.exe 1 46->67         started        69 schtasks.exe 1 46->69         started        71 mozila.exe 53->71         started        74 mozila.exe 57->74         started        76 mozila.exe 61->76         started        112 Maps a DLL or memory area into another process 65->112 78 mozila.exe 65->78         started        80 mozila.exe 65->80         started        file12 signatures13 process14 signatures15 82 conhost.exe 67->82         started        84 conhost.exe 69->84         started        138 Maps a DLL or memory area into another process 71->138 140 Sample uses process hollowing technique 71->140 86 mozila.exe 74->86         started        88 mozila.exe 76->88         started        90 mozila.exe 76->90         started        process16
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/53f8cc2c02f01b2b96309392a26f52d45ad876f26074607961fde7661d8f6c5f/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 12:56:07 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kp4mylac6ansxfrqsojke32s2rnnq5xsmb2ga6lb7xtwmhmpnrpq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
366bac9db38e89bd47b0128bdf62a4f986d1d27449c12920744e157b819751f1
NanoCore
3874eba497e0b61949d0772430ce1df420e28777dba850a6033295212e9de9c5
NanoCore
6e417fffcd28aea1071fa5c5b240b2f2e655efd6a153040c3fb64876736dcaa5
NanoCore
a498ac74ffd2f4ceccc802b5a42f33e067a7eb6f0b2125c3cf3668dd5c0c7833
NanoCore
bc9deb7c274339a0a8b594def58348a995b3d7af4764c796c365b683b7400aea
NanoCore
cc829675a0e11138d47b42b5c19e45403d7d73731aac0c97ca8b2a0e37a960f8
NanoCore
cea1d36e04dc9357211734f659dfe352056afc40779ee251fee4e72ceec619bf
NanoCore
de5da27d55060988faa9fb717e8b32e374bca6d86f7eb758c3b1aa062c5aa90b
NanoCore
e41e433626e9dbf6c3a56c29c9dc60adfa53f71cd1c3bc10d682a1b2239c576d
NanoCore
f304855a11aedd539b9bdb686b1d5781e0d7080560f9520c6bda8586947b3285
NanoCore
+ 2'645 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
persistence evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200707-8dj82xbqca/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
NTFS ADS
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Loads dropped DLL
Drops startup file
Executes dropped EXE
UPX packed file
NanoCore
Malware Config
C2 Extraction:
newjege.duckdns.org:2025
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img deacc9e4cad9d952aee3861a56a39e879221d1c0441336c4b3bd797ef60e0d87

NanoCore

Executable exe 53f8cc2c02f01b2b96309392a26f52d45ad876f26074607961fde7661d8f6c5f

(this sample)

  
Dropped by
MD5 867e00b6249f9fff09118eff6d896352
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 deacc9e4cad9d952aee3861a56a39e879221d1c0441336c4b3bd797ef60e0d87
Cape
Cape
https://www.capesandbox.com/analysis/22287/

Comments