MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b6c1b2aaa6f7f89812ed6be3f275ff5de8827c61b14372242a617604baa0e8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b6c1b2aaa6f7f89812ed6be3f275ff5de8827c61b14372242a617604baa0e8c
SHA3-384 hash: bf354b3b9939492a5d5e42f4c710400856640bc94d584f8d505694ee4f31d4b295265104f9cca47eee03a47ad2bb111a
SHA1 hash: 76db6e52b371b01039ccb009f7371ed9ebb16a0a
MD5 hash: ed30a62c9c2e90f2157ef060db76b211
humanhash: beryllium-lake-pasta-virginia
File name:BILLING STATEMENT 0342.PDF.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'105'914 bytes
First seen:2020-07-20 09:21:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:6NA3R5drXdtGWpmYMrxIK6f+aXGV+99kWIK3i6pNEOwK:z5bvjMmK6f+aM408iONt
Threatray 1'275 similar samples on MalwareBazaar
TLSH 33351202FAC288B2E9731E321A26B7106D3D7D701F24DA0FB7D44D699A75091B229F77
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: hermancarlo.com
Sending IP: 162.210.98.146
From: SAMERAC GROUP EU <sameracmanila@yahoo.com>
Subject: RE: BILLING STATEMENT
Attachment: BILLING STATEMENT 0342.PDF.LZH (contains "BILLING STATEMENT 0342.PDF.exe")

NanoCore RAT C2:
leewardmarineservices.mywire.org:54985 (91.193.75.22)

Pointing to nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@privacyfirst.sh'

inetnum: 91.193.75.0 - 91.193.75.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
abuse-c: ACRO34258-RIPE
mnt-by: PRIVACYFIRST-MNT
mnt-by: RIPE-NCC-END-MNT
status: ASSIGNED PI
org: ORG-KHd1-RIPE
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2020-07-15T15:25:07Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28868/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391214
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247972 Sample: BILLING STATEMENT 0342.PDF.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 53 leewardmarineservices.mywire.org 2->53 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 12 other signatures 2->63 10 BILLING STATEMENT 0342.PDF.exe 35 2->10         started        13 bkhcentm.pif 1 2->13         started        16 bkhcentm.pif 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 47 C:\Users\user\AppData\...\bkhcentm.pif, PE32 10->47 dropped 20 bkhcentm.pif 1 3 10->20         started        73 Writes to foreign memory regions 13->73 75 Allocates memory in foreign processes 13->75 77 Sleep loop found (likely to delay execution) 13->77 24 RegSvcs.exe 2 13->24         started        79 Injects a PE file into a foreign processes 16->79 26 RegSvcs.exe 16->26         started        28 conhost.exe 18->28         started        30 RegSvcs.exe 18->30         started        signatures6 process7 file8 45 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 20->45 dropped 65 Multi AV Scanner detection for dropped file 20->65 67 Writes to foreign memory regions 20->67 69 Allocates memory in foreign processes 20->69 71 2 other signatures 20->71 32 RegSvcs.exe 8 20->32         started        signatures9 process10 dnsIp11 49 leewardmarineservices.duckdns.org 79.134.225.74, 49736, 49737, 49738 FINK-TELECOM-SERVICESCH Switzerland 32->49 51 leewardmarineservices.mywire.org 91.193.75.22, 49733, 49734, 49735 DAVID_CRAIGGG Serbia 32->51 41 C:\Users\user\AppData\Roaming\...\run.dat, data 32->41 dropped 43 C:\Users\user\AppData\Local\...\tmpE270.tmp, XML 32->43 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->55 37 schtasks.exe 1 32->37         started        file12 signatures13 process14 process15 39 conhost.exe 37->39         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7b6c1b2aaa6f7f89812ed6be3f275ff5de8827c61b14372242a617604baa0e8c/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 09:23:08 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pnwbwkvkn57ytajo227d6j276xpiqj6gdmkdoiscuylwas5kb2ga._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0112bdb90e11eb117a1066b44657e7afba86f5a6155da9c12e25c346a34b36ca
NanoCore
39a0ad9117de868c1aa3f891c58e750ef8688b829582c08c4c39098b94bf4f9c
NanoCore
3b4671b291ffeef0bc2d488a2273b1bcc2546037229b29e4660254a71f03df82
NanoCore
6eb767d15a657e7d39c9534bbd4b24bcc9fb7d72b100b5456ac975a002ef93a9
NanoCore
830ebbba209b2d1403ad73d769b387ab9ee0d89f22a56aecdaf306e4d5e0e439
NanoCore
8bc57dbd7aa1c3ac5b3e4f743eb616b93aec9bae6975ccdaa9ad596ada32275b
NanoCore
93716c86a95207d2a151c0b3ff70e14b16fd7bf7dace1b17449f51eb05a17c2a
NanoCore
b3341f5ac11aa0fa650041140c40eb6af30807483d5289a8f3d9fba32aa8992d
NanoCore
c584bd401bfecf5f40656ed9af67d2b136413d4d5180aa8b065b375ea6a8eab0
NanoCore
d2d355ef39f411f81c87e1c3e6feef02a0dccacf3cc37aa583e97ab9403e2ee8
NanoCore
+ 1'265 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore evasion persistence
Link:
https://tria.ge/reports/200720-wbqjljzhc2/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
leewardmarineservices.mywire.org:54985
leewardmarineservices.duckdns.org:54985
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b6c1b2aaa6f7f89812ed6be3f275ff5de8827c61b14372242a617604baa0e8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 193469816e8dc1ea95649fb6ceea55924d893589a4784f9b2396dc386394e09e

NanoCore

Executable exe 7b6c1b2aaa6f7f89812ed6be3f275ff5de8827c61b14372242a617604baa0e8c

(this sample)

  
Dropped by
MD5 a3632b05867a2291f77e10c4caeb1bcb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28868/
  
Dropped by
SHA256 193469816e8dc1ea95649fb6ceea55924d893589a4784f9b2396dc386394e09e

Comments