MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 662f115f07c983b7c060eb8a98b4dfa8951df8f3149e71523d2de7ee97d9139e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 662f115f07c983b7c060eb8a98b4dfa8951df8f3149e71523d2de7ee97d9139e
SHA3-384 hash: 5208c5034b1b9287e4671927ca5b24b4bc028b0dc94cae4bd67f04e39d5c91fe91451e5e75c59ca5cb636ba49ba59ba5
SHA1 hash: 7b3afe405af097307e8e42fc0b133a996b1323d9
MD5 hash: 0445ce164700aac73b71ca0ebe462c36
humanhash: yellow-nevada-colorado-ten
File name:img_Payment Advice_822020_jpg.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:760'320 bytes
First seen:2020-08-03 07:25:33 UTC
Last seen:2020-08-03 13:00:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 831ec412be4cd06baa632b18086fedb4 (12 x AgentTesla, 6 x MassLogger, 6 x Loki)
ssdeep 12288:WZnVKDTViiHWs0H/3b6Wx/wtmqOFOUW3WFjMKAzDtzzUov+uSTx/:A44isf3bXot2CWVJKRvqx/
Threatray 3'128 similar samples on MalwareBazaar
TLSH B3F4AF62A6E0C533C1261A3C9D1B677C9C39BFD06A28B8766FF91C4C4F3969138E5193
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: aitinnovation.co.th
Sending IP: 95.211.208.25
From: HUNG LONG MANUFACTURING AND TRADING CO <orawan@aitinnovation.co.th>
Subject: 重要通知紧急/URGENT REQUEST FOR QUOTATION -WE WANT TO BUY
Attachment: img_Payment Advice_822020_jpg.gz (contains "img_Payment Advice_822020_jpg.exe")

NanoCore RAT C2:
79.134.225.71:1990

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
4
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/37457/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Sending a UDP request
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/407584
Signature
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Keylogger Generic
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256070 Sample: img_Payment Advice_822020_jpg.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 100 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Sigma detected: Scheduled temp file as task from temp location 2->94 96 13 other signatures 2->96 10 img_Payment Advice_822020_jpg.exe 2->10         started        13 img_Payment Advice_822020_jpg.exe 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        process3 signatures4 100 Maps a DLL or memory area into another process 10->100 19 img_Payment Advice_822020_jpg.exe 1 14 10->19         started        24 img_Payment Advice_822020_jpg.exe 10->24         started        26 img_Payment Advice_822020_jpg.exe 13->26         started        28 img_Payment Advice_822020_jpg.exe 3 13->28         started        30 dhcpmon.exe 15->30         started        32 dhcpmon.exe 3 15->32         started        34 dhcpmon.exe 17->34         started        36 dhcpmon.exe 17->36         started        process5 dnsIp6 84 79.134.225.71, 1990, 49715, 49716 FINK-TELECOM-SERVICESCH Switzerland 19->84 74 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->74 dropped 76 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 19->76 dropped 78 C:\Users\user\AppData\Local\Temp\tmp326.tmp, XML 19->78 dropped 80 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->80 dropped 98 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->98 38 schtasks.exe 1 19->38         started        40 schtasks.exe 1 19->40         started        42 img_Payment Advice_822020_jpg.exe 26->42         started        82 C:\...\img_Payment Advice_822020_jpg.exe.log, ASCII 28->82 dropped 45 dhcpmon.exe 30->45         started        47 dhcpmon.exe 34->47         started        file7 signatures8 process9 signatures10 49 conhost.exe 38->49         started        51 conhost.exe 40->51         started        102 Maps a DLL or memory area into another process 42->102 53 img_Payment Advice_822020_jpg.exe 42->53         started        55 img_Payment Advice_822020_jpg.exe 42->55         started        57 dhcpmon.exe 45->57         started        59 dhcpmon.exe 45->59         started        61 dhcpmon.exe 47->61         started        63 dhcpmon.exe 47->63         started        process11 process12 65 img_Payment Advice_822020_jpg.exe 53->65         started        68 dhcpmon.exe 57->68         started        signatures13 86 Maps a DLL or memory area into another process 65->86 88 Sample uses process hollowing technique 65->88 70 img_Payment Advice_822020_jpg.exe 65->70         started        72 dhcpmon.exe 68->72         started        process14
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/662f115f07c983b7c060eb8a98b4dfa8951df8f3149e71523d2de7ee97d9139e/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-08-02 21:57:33 UTC
AV detection:
38 of 48 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=myxrcxyhzgb3pqda5ofjrng7vckr36htcsphcur5fxt65f6zcopa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
04428691034f3f528edcfb3a87d8edb1ea37d2cba338657e29ebc857c2fa5a6b
NanoCore
30a0f8b6dc30fb3a9e649149d9e92f39b50b4d9c595f9d5c4400c62caad0b7b4
NanoCore
8ec138573f2b77cd4a2772d6d2abcc2130ac1d901340505332ce78fc7096622e
NanoCore
94d2d1aeebeff231fe2536de9f0d7eb42f80686b30ee6a54e3019670f381b943
NanoCore
9bcf29ef3bbb1003db97934e2412dfb77fc1d289797a9b4eab2af243bbc8987f
NanoCore
a97aec67e2a556ec45ea8aa3db146d119d39b14486db55ad5b930f8295eccfae
NanoCore
c95e7d84353b77c81870d17df0d8a73387b3d3804b5db509b50176b049fa7a8b
NanoCore
eadde88c8f7d7dcd4174654c77714475743d46b6314f56790e04da399f62f878
NanoCore
ed7fa775e6484fee75934743e821a3a050e35831a0574685fb124a3e4766a85a
NanoCore
fe36f8b161c6e9f38fba4be32eb2b67846c9c93de9f48028762f79e5ee2b6169
NanoCore
+ 3'118 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200803-h4r13gkd6a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
UPX packed file
NanoCore
Malware Config
C2 Extraction:
79.134.225.71:1990
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/662f115f07c983b7c060eb8a98b4dfa8951df8f3149e71523d2de7ee97d9139e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

gz 99c8fc0b2004e278ee1caf4a742e4d66374581046cd3bcb95245b13342672af2

NanoCore

Executable exe 662f115f07c983b7c060eb8a98b4dfa8951df8f3149e71523d2de7ee97d9139e

(this sample)

  
Dropped by
MD5 1a1e39e0268d0c290306aeb5b7c1a9d0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37457/
  
Dropped by
SHA256 99c8fc0b2004e278ee1caf4a742e4d66374581046cd3bcb95245b13342672af2

Comments