MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5901a8e4a36574b8ca6cb3c899e64cdfc27395de606cd4a512431e6dd827196f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: 5901a8e4a36574b8ca6cb3c899e64cdfc27395de606cd4a512431e6dd827196f
SHA3-384 hash: 304159cb906e0c7df9a38260dcbe9c855f62c7fcd3799203fd7801f865c03317d388e39cd7d12f8e5d7fe03908843c63
SHA1 hash: 562528a4a0ea3eefe8e5526ad68ffdf3df9b5e64
MD5 hash: bb4eb0cc2f31f248a9c2f38c0abbb252
humanhash: california-delaware-may-papa
File name:bb4eb0cc2f31f248a9c2f38c0abbb252.exe
Download: download sample
Signature NanoCore
File size:727'552 bytes
First seen:2020-07-31 08:32:06 UTC
Last seen:2020-07-31 08:59:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e374e6a01735b73e577e6a14415ed0c
ssdeep 12288:nCVMTcr5w3T2qnLaKr1K2KXIN0h13i4ywIgnI7od2DGFSb4v93wKhyqRt/nTji:CiQOD2qr1K2rNsU4nIn8j13wKhZ0
TLSH F0F4B023A2E04437D133167F9C1B676DA83ABD1C2E2498C62BE92D4C5F39771386A357
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT


Twitter
@abuse_ch
NanoCore RAT C2:
godisgood.hopto.org:2177 (185.165.153.30)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU2
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-28T20:37:37Z
source: RIPE

Intelligence


File Origin
# of uploads :
2
# of downloads :
35
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255241 Sample: mQkSxltFLk.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 102 godisgood.hopto.org 2->102 104 g.msn.com 2->104 106 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->106 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 Sigma detected: Scheduled temp file as task from temp location 2->130 132 8 other signatures 2->132 13 mQkSxltFLk.exe 2->13         started        16 dhcpmon.exe 2->16         started        18 dhcpmon.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 signatures5 138 Contains functionality to inject code into remote processes 13->138 140 Writes to foreign memory regions 13->140 142 Allocates memory in foreign processes 13->142 146 2 other signatures 13->146 22 notepad.exe 5 13->22         started        26 notepad.exe 16->26         started        28 notepad.exe 2 18->28         started        144 Maps a DLL or memory area into another process 20->144 30 hfsjrifske.exe 20->30         started        32 hfsjrifske.exe 3 20->32         started        process6 file7 86 C:\Users\user\AppData\...\hfsjrifske.exe, PE32 22->86 dropped 88 C:\Users\...\hfsjrifske.exe:Zone.Identifier, ASCII 22->88 dropped 134 Creates files in alternative data streams (ADS) 22->134 136 Drops VBS files to the startup folder 22->136 34 hfsjrifske.exe 22->34         started        90 C:\Users\user\AppData\Roaming\...\web.vbs, ASCII 26->90 dropped 37 hfsjrifske.exe 26->37         started        39 hfsjrifske.exe 28->39         started        41 hfsjrifske.exe 30->41         started        92 C:\Users\user\AppData\...\hfsjrifske.exe.log, ASCII 32->92 dropped signatures8 process9 signatures10 114 Detected unpacking (changes PE section rights) 34->114 116 Detected unpacking (creates a PE file in dynamic memory) 34->116 118 Detected unpacking (overwrites its own PE header) 34->118 122 2 other signatures 34->122 43 hfsjrifske.exe 1 15 34->43         started        48 hfsjrifske.exe 34->48         started        50 hfsjrifske.exe 37->50         started        52 hfsjrifske.exe 37->52         started        120 Maps a DLL or memory area into another process 39->120 54 hfsjrifske.exe 39->54         started        56 hfsjrifske.exe 39->56         started        58 hfsjrifske.exe 41->58         started        60 hfsjrifske.exe 41->60         started        process11 dnsIp12 108 185.165.153.30, 2177, 49715, 49722 DAVID_CRAIGGG Netherlands 43->108 110 192.168.2.1 unknown unknown 43->110 112 godisgood.hopto.org 43->112 94 C:\Program Files (x86)\...\dhcpmon.exe, PE32 43->94 dropped 96 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 43->96 dropped 98 C:\Users\user\AppData\Local\...\tmp8E16.tmp, XML 43->98 dropped 100 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 43->100 dropped 148 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->148 62 schtasks.exe 1 43->62         started        64 schtasks.exe 1 43->64         started        66 hfsjrifske.exe 50->66         started        69 hfsjrifske.exe 54->69         started        file13 signatures14 process15 signatures16 71 conhost.exe 62->71         started        73 conhost.exe 64->73         started        124 Maps a DLL or memory area into another process 69->124 75 hfsjrifske.exe 69->75         started        77 hfsjrifske.exe 69->77         started        process17 process18 79 hfsjrifske.exe 71->79         started        signatures19 150 Maps a DLL or memory area into another process 79->150 82 hfsjrifske.exe 79->82         started        84 hfsjrifske.exe 79->84         started        process20
Threat name:
Win32.Trojan.DataStealer
Status:
Malicious
First seen:
2020-07-31 08:34:06 UTC
AV detection:
21 of 31 (67.74%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore persistence
Behaviour
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Loads dropped DLL
Drops startup file
Executes dropped EXE
UPX packed file
NanoCore
Malware Config
Extraction:
godisgood.hopto.org:2177
185.165.153.30:2177
Threat name:
Tinba
Score:
1.00

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 5901a8e4a36574b8ca6cb3c899e64cdfc27395de606cd4a512431e6dd827196f

(this sample)

  
Delivery method
Distributed via web download

Comments