MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60c933d92c32bb887976e0b949092fd822643d445b79a3289eb548866e35ea09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60c933d92c32bb887976e0b949092fd822643d445b79a3289eb548866e35ea09
SHA3-384 hash: 8bb7b7b600d3a13960c98751c794801554a85cf0b2b7dec9884584534e1e999e73d3118955efa0fbdfe2c408eef20445
SHA1 hash: 3885b11da6798b9838843b16f1aa889a99da9cd5
MD5 hash: c4cf58e7d1c7b1dc2e7b68658380cc0d
humanhash: jupiter-triple-music-high
File name:Logistics-04-08-2020.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:972'288 bytes
First seen:2020-08-04 10:56:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:vH3gKtD8HOJrTGBuMq1V5p4wJ8hkdTq8+3iSvUJW1WXZ8RZnunpdFXG7g3uZ9mKe:vXgQ8H2GBuJVJZVQkX7JWYcR
Threatray 1'126 similar samples on MalwareBazaar
TLSH A3256CC2F1449A51CC5A5E3A8D23DA9443737D6AEF47D70634C4BA2B78F34C29A36683
Reporter abuse_ch
Tags:exe Hostwinds NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: hwsrv-758891.hostwindsdns.com
Sending IP: 104.168.203.3
From: Carlos Henrique <info@loburig.com>
Subject: RE: Egea Logistics/04.08.2020
Attachment: Logistics-04-08-2020.r01 (contains "Logistics-04-08-2020.exe")

NanoCore RAT C2:
mn255.freeddns.org:1605 (185.19.85.150)

% Information related to '185.19.84.0 - 185.19.85.255'

% Abuse contact for '185.19.84.0 - 185.19.85.255' is 'abuse@datawire.ch'

inetnum: 185.19.84.0 - 185.19.85.255
netname: DATAWIRE-DATACENTERS
descr: CUSTOMERS ZG01
country: CH
admin-c: DA4314-RIPE
tech-c: DA4314-RIPE
status: ASSIGNED PA
mnt-by: DATAWIRE-NOC
created: 2013-09-23T14:18:55Z
last-modified: 2013-09-23T14:18:55Z
source: RIPE

role: DATAWIRE AG
address: Hinterbergstrasse 22
admin-c: SH3634-RIPE
tech-c: SH3634-RIPE
nic-hdl: DA4314-RIPE
mnt-by: DATAWIRE-NOC
created: 2012-01-03T15:42:22Z
last-modified: 2013-08-25T14:21:45Z
source: RIPE # Filtered
abuse-mailbox: abuse@datawire.ch

% Information related to '185.19.84.0/22AS48971'

route: 185.19.84.0/22
descr: DATAWIRE AG DATACENTERS
origin: AS48971
mnt-by: DATAWIRE-NOC
created: 2013-03-07T20:43:03Z
last-modified: 2013-03-07T20:43:03Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38522/
Detection(s):
SecuriteInfo.com.Backdoor.MSIL.Bladabindi.28743.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun by creating a file
Result
Threat name:
Nanocore MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/409136
Signature
Detected Nanocore Rat
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sample uses process hollowing technique
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected MailPassView
Yara detected Nanocore RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/60c933d92c32bb887976e0b949092fd822643d445b79a3289eb548866e35ea09/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 10:58:07 UTC
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mdethwjmgk5yq6lw4c4uscjp3argipkeln42gke6wveim3rv5ieq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
34670f14b9ca4fcb265b261d99b7178e489b63bfd9c0c3d06ce633f474aa12c4
NanoCore
474af782fd84f7b982a4c49deeaf3431aeadd1e52528dc7dd8e3bb29bde9c40f
NanoCore
48f5ec7f8dface6902c82f810be45ae1d8be5f3697afc232743b9153d46883a6
NanoCore
7c1edf2a2fd0fc1499931f60cd7363812513b4f410ae32677a7a63c355568ecd
NanoCore
af7aa3b76b8d11ba1d518006e2b4ea6d574573bd2bba6594a57825e33f9ed87c
NanoCore
b2528047a7c839ca84e666660705feb2bcda640a0d5686d063406446176f3cc0
NanoCore
d4cca60154fcc667ada19dffbac16f84b51691a540daf850a766b91bd46544fe
NanoCore
daa11a454d19db26e0628d81c0b187667405e26c08bdd466e43565d9b065c952
NanoCore
db914bd57e726ca85a49a1747e81e86c89c3548ad941727a8d6c7d8b5eafa04f
NanoCore
fd8099db1cfa62c7507e5d163096c9c558b653540cad6f8f0211e12f1f623933
NanoCore
+ 1'116 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore evasion
Link:
https://tria.ge/reports/200804-4xs1r5vykx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
mn255.freeddns.org:1605
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60c933d92c32bb887976e0b949092fd822643d445b79a3289eb548866e35ea09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

r01 f050c74e4c31afd7977a3e4f52875714f112354ed325cd814cd166bc7aad949f

NanoCore

Executable exe 60c933d92c32bb887976e0b949092fd822643d445b79a3289eb548866e35ea09

(this sample)

  
Dropped by
MD5 2120f85dee798635230cb218c9b7f998
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38522/
  
Dropped by
SHA256 f050c74e4c31afd7977a3e4f52875714f112354ed325cd814cd166bc7aad949f

Comments