MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b27db23756f4ddbd30a3875e30cdbff6cdcc1650a46e3c5a032da6f85cfdceb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	5b27db23756f4ddbd30a3875e30cdbff6cdcc1650a46e3c5a032da6f85cfdceb
SHA3-384 hash:	9c74aac6d2fdcfb93f144b72fa4f5215272e7920b85062c2b295bdc899650aaec994eb7309088adefb704108147b7d92
SHA1 hash:	f37c0ca9db58a784cf77712bcfaa6cf18233b495
MD5 hash:	4e0966f48e6fe2451eae96f7696dcab9
humanhash:	arizona-hotel-low-harry
File name:	wndll.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	317'440 bytes
First seen:	2020-06-30 19:23:08 UTC
Last seen:	2020-06-30 19:52:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:Wyuw3KZ2jvasqRLJgsaJwRZUwhhg5xH8XwCeKQAAXyQYCV8:76AjSsiLCCl8jYReKQAAXyQLV8
Threatray	1'336 similar samples on MalwareBazaar
TLSH	0564028CBE84DA15C82F0934D4A6D3B08361DE279502D75F69E67C5FB9333DA240B26B
Reporter	abuse_ch
Tags:	exe NanoCore RAT

abuse_ch

Malspam distributing NanoCore:

HELO: semf05.mfg.siteprotect.com
Sending IP: 64.26.60.168
From: Shawn McKay <info@couvretoit.com>
Reply-To: prepre080@vivaldi.net
Subject: RESENDING: Quotation Needed
Attachment: PO300620.doc

NanoCore payload URL:
http://mrgeek.pk/wndll.exe

NanoCore RAT payload URL:
gold1.dnsupdate.info:4777 (79.134.225.84)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/18767/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.276.24420.10662.UNOFFICIAL

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/5b27db23756f4ddbd30a3875e30cdbff6cdcc1650a46e3c5a032da6f85cfdceb/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-06-30 19:25:04 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lmt5wi3vn5g5xuykhb26gdg375wnzqlfbjdohrnaglng7bop3tvq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

3521a9cd1d18d9991b29966ae472097ae2996fc50c230ac06762f9e7666656f5

NanoCore

483338a656b2a7bf095d9bf3ca950419f217acdb9812b3d0013ccc13785f305e

NanoCore

4dc229e375efa1e86ede0cf29688dff17e3ad50eee49e6b81991c7591542454e

NanoCore

602b19f259171ac577fb9d67952442c71809b4b3977484115883d7ed6be067a3

NanoCore

963ef1f1d728673b7769357ef250a53cf202abf7748fb780158e8b642aa63ba8

NanoCore

970f7d03e10292edf2d418d3f2c87a32a11c583ecf7c803917070bdbf136b0b1

NanoCore

bd23c3a3d5215798a115525fe15803ee5f4393ae77d49e081770761beecb14ea

NanoCore

e583f88a5a2f0078444fa97cfd8b4357bce832202ec6140ade6239e7687c1850

NanoCore

fcfc89b5ad3b4e406664cdd8408f56fe8b0c9a9eeb50fc821f2e89a9785c9f3e

NanoCore

+ 1'326 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200630-wapmqvr6ee/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

NTFS ADS

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Drops startup file

Loads dropped DLL

Executes dropped EXE

NanoCore

Malware Config

C2 Extraction:

gold1.dnsupdate.info:4777
gold080.ooguy.com:4777

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/