MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d1ce7961e394f55fb7162e18e6cf587faa463d29ba5976eaad83b409f060621. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: 7d1ce7961e394f55fb7162e18e6cf587faa463d29ba5976eaad83b409f060621
SHA3-384 hash: c6f38e148753effd3797a00c9820a7cb50c303159522f664e929d4a79a8dd5077bb87217fd447c5679c4a0c547733bb9
SHA1 hash: 584fb65f5715bd901a5931e320cd6706927ab110
MD5 hash: 50620a618761d63b20428dfc609bd570
humanhash: crazy-network-cola-quiet
File name:REF_ST73020203576_PDF.exe
Download: download sample
Signature NanoCore
File size:744'960 bytes
First seen:2020-07-31 09:37:38 UTC
Last seen:2020-07-31 11:08:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:reJ3gDPQA8ovwDYNtqFWOTLHaALtRgJ5Zfz+YJLmhZVbi9HtrS:qJ3gDYAFheFLLHaYKJ597JLmhZVb
TLSH 07F4C0047B90E51FC2AB8F7ACAD44810EEB8F5964B17E78734C267BF18CE36AA501571
Reporter @abuse_ch
Tags:ESP exe geo NanoCore nVpn RAT Santander


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: g.smtp.srvr.mx
Sending IP: 144.217.149.162
From: Banco standander <smovil@santander.com.mx>
Subject: Operación de facturación electrónica 8941610/7/30/20 20
Attachment: REF_ST73020203576_PDF.gz (contains "REF_ST73020203576_PDF.exe")

NanoCore RAT C2:
194.5.97.91:7583

Hosted on nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.97.0 - 194.5.97.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU5
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: SUB-ALLOCATED PA
mnt-by: PRIVACYFIRST-MNT
created: 2018-07-23T09:31:45Z
last-modified: 2020-07-30T03:48:40Z
source: RIPE

Intelligence


File Origin
# of uploads :
2
# of downloads :
32
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255259 Sample: REF_ST73020203576_PDF.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Sigma detected: Scheduled temp file as task from temp location 2->61 63 10 other signatures 2->63 8 REF_ST73020203576_PDF.exe 1 2->8         started        12 dhcpmon.exe 1 2->12         started        14 REF_ST73020203576_PDF.exe 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 51 C:\Users\...\REF_ST73020203576_PDF.exe.log, ASCII 8->51 dropped 67 Injects a PE file into a foreign processes 8->67 69 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->69 18 REF_ST73020203576_PDF.exe 1 12 8->18         started        23 dhcpmon.exe 2 12->23         started        25 REF_ST73020203576_PDF.exe 2 14->25         started        27 dhcpmon.exe 16->27         started        29 dhcpmon.exe 16->29         started        31 dhcpmon.exe 16->31         started        33 2 other processes 16->33 signatures5 process6 dnsIp7 53 194.5.97.91, 49697, 49698, 49702 DANILENKODE Netherlands 18->53 55 127.0.0.1 unknown unknown 18->55 43 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->43 dropped 45 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->45 dropped 47 C:\Users\user\AppData\Local\...\tmpFD28.tmp, XML 18->47 dropped 49 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->49 dropped 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->65 35 schtasks.exe 1 18->35         started        37 schtasks.exe 1 18->37         started        file8 signatures9 process10 process11 39 conhost.exe 35->39         started        41 conhost.exe 37->41         started       
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-31 09:39:05 UTC
AV detection:
21 of 31 (67.74%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
NanoCore
Malware Config
Extraction:
194.5.97.91:7583
Threat name:
Suspicious File
Score:
0.61

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 7d1ce7961e394f55fb7162e18e6cf587faa463d29ba5976eaad83b409f060621

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments