MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71780838c65e2e41dcadb7ca2dcb77577e30288049f1d74dee5ede2e70ff4115. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71780838c65e2e41dcadb7ca2dcb77577e30288049f1d74dee5ede2e70ff4115
SHA3-384 hash: 389c64dc5154f0912d1e828724694b901ad023b67d9eb898f068bb95e2d1e0614942b825f70890e8b376fe291a22c41b
SHA1 hash: c0ca155076c1860f62b3e3467887aaa56fb18a1e
MD5 hash: 06381ca8498d7af60ca27b4a1320626d
humanhash: solar-skylark-shade-nine
File name:Ref 00362426829_statement_PDF.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:773'120 bytes
First seen:2020-07-22 06:32:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:hYZGVAe89brrTSPFYmwpmqeDSvd+UTvM75st/QaDNiGqRNGvlRv6nnjqKoem:iZ9/nSPF1wxeOV+UTMqbNxENGD6nnjqd
Threatray 1'087 similar samples on MalwareBazaar
TLSH 85F4E0973944859CCF6D55FAA207454433E9CCBFD618E6097FC833939EE6B920822B1B
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: server.nemutlu.com.tr
Sending IP: 94.102.12.60
From: E-Westpac <noreply@westpac.com.au>
Subject: Debit July 22, 2020 bank statament (Ref: 00362426829)
Attachment: Ref 00362426829_statement_PDF.r00 (contains "Ref 00362426829_statement_PDF.exe")

NanoCore RAT C2:
79.134.225.85:2468

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30756/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394367
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249572 Sample: Ref 00362426829_statement_PDF.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 11 other signatures 2->76 8 Ref 00362426829_statement_PDF.exe 7 2->8         started        11 wpasv.exe 5 2->11         started        13 Ref 00362426829_statement_PDF.exe 4 2->13         started        15 wpasv.exe 2->15         started        process3 file4 60 C:\Users\user\AppData\Roaming\oJvEqrTt.exe, PE32 8->60 dropped 62 C:\Users\...\oJvEqrTt.exe:Zone.Identifier, ASCII 8->62 dropped 64 C:\Users\user\AppData\Local\...\tmp2AE2.tmp, XML 8->64 dropped 66 C:\...\Ref 00362426829_statement_PDF.exe.log, ASCII 8->66 dropped 17 Ref 00362426829_statement_PDF.exe 1 15 8->17         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 11->24         started        26 wpasv.exe 11->26         started        28 wpasv.exe 11->28         started        30 schtasks.exe 13->30         started        32 Ref 00362426829_statement_PDF.exe 13->32         started        34 schtasks.exe 15->34         started        36 wpasv.exe 15->36         started        process5 dnsIp6 68 79.134.225.85, 2468, 49710 FINK-TELECOM-SERVICESCH Switzerland 17->68 54 C:\Program Files (x86)\...\wpasv.exe, PE32 17->54 dropped 56 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 17->56 dropped 58 C:\...\wpasv.exe:Zone.Identifier, ASCII 17->58 dropped 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->78 38 schtasks.exe 1 17->38         started        40 schtasks.exe 1 17->40         started        42 conhost.exe 22->42         started        44 conhost.exe 24->44         started        46 conhost.exe 30->46         started        48 conhost.exe 34->48         started        file7 signatures8 process9 process10 50 conhost.exe 38->50         started        52 conhost.exe 40->52         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/71780838c65e2e41dcadb7ca2dcb77577e30288049f1d74dee5ede2e70ff4115/
Threat name:
ByteCode-MSIL.Trojan.RandomKrypt
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 06:34:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=of4aqogglyxedxfnw7fc3s3xk57dakeajhy5otpol3pc44h7iekq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
140902e2a23240a35b3e72be9c0878d18c2a7b4780feab213cbcc03156804c05
NanoCore
34f1b02bdccebe61deb518957acd32c9a64ce358102db3be15ed7d46f9945004
NanoCore
477cb5bab3165ce1ab6479c08937920b3b88ea3860fd69d74f8e6cdd644ce0b9
NanoCore
70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19
NanoCore
786e5ea538d875c628433d6cf45abd9559ede017b01b3fca8eb3bfc6dbc66f12
NanoCore
af7b5b39405065f105a0bf0f53578061adcd58a5861bb38827dd0f62df4f57ed
NanoCore
e847719a98762bcf7422064186c2cdbb2f58000622448c3adcb6769b7cfbea68
NanoCore
ea4115e347193aa868162072e3db30d9652650aa2915726aa83d91beb202b9bb
NanoCore
ec89b2b660ea42254a90f3b045dc98bfe6d1733878bd39a2a7030d68de169859
NanoCore
f0fa2d366b28cfa858d00232f1073be3dbea215480c630a6489b38acdbb7af83
NanoCore
+ 1'077 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200722-xb3w9vyqsj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
NanoCore
Malware Config
C2 Extraction:
79.134.225.85:2468
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71780838c65e2e41dcadb7ca2dcb77577e30288049f1d74dee5ede2e70ff4115

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

r00 87772f5e04cf4aec42495dc113c7e057c68d88c7ef6760402e39bec2e94bbb8d

NanoCore

Executable exe 71780838c65e2e41dcadb7ca2dcb77577e30288049f1d74dee5ede2e70ff4115

(this sample)

  
Dropped by
MD5 48639417285d359a6dff65af51b5fbca
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30756/
  
Dropped by
SHA256 87772f5e04cf4aec42495dc113c7e057c68d88c7ef6760402e39bec2e94bbb8d

Comments