MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bb9b00853b7ad74a9e4c41b8974ab369d16e6289c9e9e933be5fe56539af2b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bb9b00853b7ad74a9e4c41b8974ab369d16e6289c9e9e933be5fe56539af2b1
SHA3-384 hash: 069a90afa8f05c6e8ebc14295334ebde3a786b952e79db557968acfdbe5e6e1ee1cac7369052585dfd591fd9f053cc34
SHA1 hash: 2e06cf0148a06bf79c3ef08d494dfc2da6f1176b
MD5 hash: 5362972a62de7251db4a08a631b96459
humanhash: quiet-west-florida-yankee
File name:PO #2604195144.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'617'667 bytes
First seen:2020-08-03 13:06:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ccbe8fa3624c3df0027f9e85f590235e (1 x MassLogger, 1 x NanoCore)
ssdeep 12288:AITxmdCNTeMHDsClnqY1dHB7MJzBx5GOnMUYfve3QN4ho0qxBL7VnNrr3XGP:AdC1vnVMJzBx5GOnJYfveAKhexZ7RE
Threatray 1'088 similar samples on MalwareBazaar
TLSH F875FB36A2338839E88504B5141AE76D2F043E3A2B35D58CDF84FB5A2DBD3D97790D4A
Reporter abuse_ch
Tags:exe NanoCore


Avatar
abuse_ch
Malspam distributing NanoCore:

From: Jazz <composite@icomis.com>
Subject: SCG - PO #2604195144 / 08.03.2020
Attachment: PO 2604195144.rar (contains "PO #2604195144.exe")

NanoCore RAT C2:
178.124.140.145:1604

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/37838/
Detection(s):
SecuriteInfo.com.Variant.Johnnie.266274.6824.10209.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.43584661.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file in the %temp% directory
Deleting a recently created file
Sending a UDP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Nanocore MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/407941
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sample uses process hollowing technique
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected MailPassView
Yara detected Nanocore RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256208 Sample: PO #2604195144.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 10 other signatures 2->56 8 PO #2604195144.exe 1 2 2->8         started        12 tzujbo4mcUxkRl1.exe.exe 2->12         started        14 tzujbo4mcUxkRl1.exe.exe 2->14         started        16 RegSvcs.exe 4 2->16         started        process3 file4 46 C:\Users\user\...\tzujbo4mcUxkRl1.exe.exe, PE32 8->46 dropped 60 Sample uses process hollowing technique 8->60 18 RegSvcs.exe 13 8->18         started        62 Machine Learning detection for dropped file 12->62 23 RegSvcs.exe 2 12->23         started        25 RegSvcs.exe 14->25         started        27 conhost.exe 16->27         started        signatures5 process6 dnsIp7 48 178.124.140.145, 1604, 49717, 49740 BELPAK-ASBELPAKBY Belarus 18->48 42 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->42 dropped 44 C:\Users\user\AppData\Local\Temp\tmp3FB.tmp, XML 18->44 dropped 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->58 29 vbc.exe 1 18->29         started        32 schtasks.exe 1 18->32         started        34 vbc.exe 13 18->34         started        36 WerFault.exe 25->36         started        38 conhost.exe 27->38         started        file8 signatures9 process10 signatures11 64 Tries to steal Mail credentials (via file registry) 29->64 66 Tries to steal Instant Messenger accounts or passwords 29->66 68 Tries to steal Mail credentials (via file access) 29->68 40 conhost.exe 32->40         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8bb9b00853b7ad74a9e4c41b8974ab369d16e6289c9e9e933be5fe56539af2b1/
Threat name:
Win32.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 13:08:08 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ro43acctw6wxjkpeyqnys5flg2ornzritspj5ez34x7fmu426kyq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
15d88e59e80b15ed7b24ffd1a496ff718b76a6a7d06cc2be0d1f91e460871c12
NanoCore
289c596406900aae22ba6b3d5a9d5465e38faebb46698f89def637389f675ae6
NanoCore
5d37ea9d96ae208d4df3961643780b97016cf055128483ae287ad86616cbea45
NanoCore
7cdf1294eb40f2a207f55cbb1a68761135500f64bb077a7f4ba9a7d3098850f1
NanoCore
9c62e75f2dc168671bddfe8cad2b102197c10d9039d8917a7637585ff603dbdd
NanoCore
9fc240db7a0cd883c35e2cbfc6e8dcb2bb3921514dbce65aef46711de4a06a6a
NanoCore
c4f0b3610d084b670fbcd8d5405153b208907ac348a190df4cfa41b1dc4f029c
NanoCore
d11f8cd2987a718cc9d0bd9de289ee8d90555115cb9d03fdc8f0b930898e4a75
NanoCore
d49621996ba7b43c8d7cb35403ccbb13c50f1a1dddc9492ce7a74abd8597a115
NanoCore
ddf157853be3dbebba9eea0db9815017a0c7d8dded210a5c291d7b0ccd2fd2be
NanoCore
+ 1'078 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
persistence evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200803-lg9ghgwh3j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Maps connected drives based on registry
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
178.124.140.145:1604
alibabadino8.ddns.net:1604
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8bb9b00853b7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NanoCore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8bb9b00853b7ad74a9e4c41b8974ab369d16e6289c9e9e933be5fe56539af2b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar f4846a6f5b3122080ec0cc8bd6b2fd4045938d4e3e4d6caeaa62be79c1a67a3d

NanoCore

Executable exe 8bb9b00853b7ad74a9e4c41b8974ab369d16e6289c9e9e933be5fe56539af2b1

(this sample)

  
Dropped by
MD5 9538f63bd71c8139b818f4c145a66446
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37838/
  
Dropped by
SHA256 f4846a6f5b3122080ec0cc8bd6b2fd4045938d4e3e4d6caeaa62be79c1a67a3d

Comments