MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f0bd5d4fdb77f5c7944ba26cf6028a8f7f3f92e674611385f6cdd1e5258708d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: 7f0bd5d4fdb77f5c7944ba26cf6028a8f7f3f92e674611385f6cdd1e5258708d
SHA3-384 hash: 844360675c8a6522d352388de172993d2d03eb5182b5506847ef764038d9d919b2b94d6f923082220c69a275b36d5a32
SHA1 hash: 05b2ac8e4f2e43b818e1c499ff2e3dba13b1f63d
MD5 hash: ce61e73565f2880b720b3997174e3258
humanhash: burger-missouri-tennessee-april
File name:BL Draft DOC-20200731-PL#INV203948.exe
Download: download sample
Signature NanoCore
File size:734'720 bytes
First seen:2020-07-31 12:03:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e94294aa486edca6180033051104c39
ssdeep 12288:B1i+/Z6i2pC138ktn6gCA4iFsrnTp1zPgcER4Cu4fPSfHI5L+I:TNZopgQgY2O9IcERju455Ld
TLSH 8CF4AFE2B2D15437C26F16F98C0BB768A836FE101A2914862BF50C4F9FF96C135E5396
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: webmail.cyber.net.pk
Sending IP: 203.101.175.37
From: Rong Lee <hameedentr@cyber.net.pk>
Subject: Re: **TOP URGENT** Shipping Documents
Attachment: BL Draft DOC-20200731-PLINV203948.pdf.gz (contains "BL Draft DOC-20200731-PL#INV203948.exe")

NanoCore RAT C2:
185.244.29.130:1980

Hosted on nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.29.0 - 185.244.29.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-ASIA1
country: SC
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: SUB-ALLOCATED PA
mnt-by: PRIVACYFIRST-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-07-28T20:53:46Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
33
Origin country :
FR FR
Mail intelligence
Geo location:
CH Switzerland
Volume:
Low
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255352 Sample: BL Draft DOC-20200731-PL#IN... Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 11 other signatures 2->54 8 BL Draft DOC-20200731-PL#INV203948.exe 2->8         started        11 BL Draft DOC-20200731-PL#INV203948.exe 2->11         started        13 dhcpmon.exe 2->13         started        15 dhcpmon.exe 2->15         started        process3 signatures4 58 Maps a DLL or memory area into another process 8->58 17 BL Draft DOC-20200731-PL#INV203948.exe 1 14 8->17         started        22 BL Draft DOC-20200731-PL#INV203948.exe 3 11->22         started        24 dhcpmon.exe 3 13->24         started        26 dhcpmon.exe 2 15->26         started        process5 dnsIp6 46 185.244.29.130, 1980, 49714, 49715 DAVID_CRAIGGG Netherlands 17->46 36 C:\Program Files (x86)\...\dhcpmon.exe, PE32 17->36 dropped 38 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 17->38 dropped 40 C:\Users\user\AppData\Local\...\tmp819A.tmp, XML 17->40 dropped 42 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 17->42 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->56 28 schtasks.exe 1 17->28         started        30 schtasks.exe 1 17->30         started        44 BL Draft DOC-20200...L#INV203948.exe.log, ASCII 22->44 dropped file7 signatures8 process9 process10 32 conhost.exe 28->32         started        34 conhost.exe 30->34         started       
Threat name:
Win32.Trojan.Crypt
Status:
Suspicious
First seen:
2020-07-31 12:05:05 UTC
AV detection:
14 of 31 (45.16%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
upx persistence evasion trojan keylogger stealer spyware family:nanocore
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
UPX packed file
NanoCore
Malware Config
Extraction:
:1980
185.244.29.130:1980
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 7f0bd5d4fdb77f5c7944ba26cf6028a8f7f3f92e674611385f6cdd1e5258708d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments