MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93e44f3a49647573e0de42b29d80a9ce0af5cb879417e6a3f6a238d88979c662. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93e44f3a49647573e0de42b29d80a9ce0af5cb879417e6a3f6a238d88979c662
SHA3-384 hash: 65fbd0a8036fad00e438792ac7c4119600669d59af3ec6d3720cab525abb6b92acf28446b5090f33dacc2e3b322cb59b
SHA1 hash: 99fe057c3bc249bcc23be977c5fc694eeb437566
MD5 hash: af2b7dc34bb7a628d97a909ae54159a1
humanhash: cold-purple-lake-timing
File name:Bank Swift_7312020_PDF.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:734'720 bytes
First seen:2020-07-31 12:01:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e94294aa486edca6180033051104c39 (5 x AgentTesla, 3 x MassLogger, 2 x NanoCore)
ssdeep 12288:B1i+/Z6i2pC138ktn6gCA4iFsrnTp1zPgcER7zu8WQfQDO4eEC5UAYrgJ:TNZopgQgY2O9IcERn5pQDEEtAz
Threatray 3'275 similar samples on MalwareBazaar
TLSH C2F4AFF6B2D05433C26F36F98C0B976CA836BE10DA2914862BF50C4F9FF968135E5196
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: symetree.com
Sending IP: 95.211.208.25
From: Accounts <salesdesk@symetree.com>
Subject: Bank Swift
Attachment: Bank Swift_7312020_PDF.gz (contains "Bank Swift_7312020_PDF.exe")

NanoCore RAT C2:
79.134.225.71:1990

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/36479/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/406007
Signature
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255351 Sample: Bank Swift_7312020_PDF.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Sigma detected: Scheduled temp file as task from temp location 2->94 96 12 other signatures 2->96 10 Bank Swift_7312020_PDF.exe 2->10         started        13 Bank Swift_7312020_PDF.exe 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        process3 signatures4 100 Maps a DLL or memory area into another process 10->100 19 Bank Swift_7312020_PDF.exe 1 14 10->19         started        24 Bank Swift_7312020_PDF.exe 10->24         started        26 Bank Swift_7312020_PDF.exe 13->26         started        28 Bank Swift_7312020_PDF.exe 3 13->28         started        30 dhcpmon.exe 15->30         started        32 dhcpmon.exe 3 15->32         started        34 dhcpmon.exe 17->34         started        36 dhcpmon.exe 2 17->36         started        process5 dnsIp6 86 79.134.225.71, 1990, 49721, 49724 FINK-TELECOM-SERVICESCH Switzerland 19->86 76 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->76 dropped 78 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 19->78 dropped 80 C:\Users\user\AppData\Local\...\tmpFBA9.tmp, XML 19->80 dropped 82 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->82 dropped 98 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->98 38 schtasks.exe 1 19->38         started        40 schtasks.exe 1 19->40         started        42 Bank Swift_7312020_PDF.exe 26->42         started        84 C:\Users\...\Bank Swift_7312020_PDF.exe.log, ASCII 28->84 dropped 45 dhcpmon.exe 30->45         started        47 dhcpmon.exe 34->47         started        file7 signatures8 process9 signatures10 49 conhost.exe 38->49         started        51 conhost.exe 40->51         started        102 Maps a DLL or memory area into another process 42->102 53 Bank Swift_7312020_PDF.exe 42->53         started        55 Bank Swift_7312020_PDF.exe 42->55         started        57 dhcpmon.exe 45->57         started        59 dhcpmon.exe 45->59         started        61 dhcpmon.exe 47->61         started        63 dhcpmon.exe 47->63         started        process11 process12 65 Bank Swift_7312020_PDF.exe 53->65         started        68 dhcpmon.exe 57->68         started        signatures13 88 Maps a DLL or memory area into another process 65->88 70 Bank Swift_7312020_PDF.exe 65->70         started        72 Bank Swift_7312020_PDF.exe 65->72         started        74 dhcpmon.exe 68->74         started        process14
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/93e44f3a49647573e0de42b29d80a9ce0af5cb879417e6a3f6a238d88979c662/
Threat name:
Win32.Trojan.DataStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-31 12:03:08 UTC
AV detection:
43 of 48 (89.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=spse6osjmr2xhyg6ikzj3afjzyfpls4hsql6ni7wui4nrclzyzra._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
1b0e17e568860f443d28cd430f26925fbb7bc31ee55e287dd16be90274ed33c9
NanoCore
24154b374505bf76998acbeb5dafbf42a61a516234f2f1b708784ec3669bfbd1
NanoCore
311380e373e370131734bd5c65fe3b8a8b2862fc7049692e92ac12703487edc7
NanoCore
367d1fd29045416d80d3b22efd7b0684601c184ea06cbeffad5b4562fcee0533
NanoCore
3d604878a1a81c85be92fc830d195e4503cf17c9e8cd3e6778e2f4c3cf14c83c
NanoCore
7f0bd5d4fdb77f5c7944ba26cf6028a8f7f3f92e674611385f6cdd1e5258708d
NanoCore
99876ee50802848768d32d6cd179141603d76259e33c223b47204e33ef4b416d
NanoCore
9f0c636096918ffd81f45e54f65d8992726cbfbef9a8d087476ab5360590d35d
NanoCore
bee273e8651fb168e330da50d83a3e4ad3769692d365d20f0cd9e1afbe13bcb0
NanoCore
e3d23bafecccf8c1282d7c7f561490061216edabbbdafde8dca65608ba28a8fc
NanoCore
+ 3'265 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200731-hp86ghahva/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
UPX packed file
NanoCore
Malware Config
C2 Extraction:
79.134.225.71:1990
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93e44f3a49647573e0de42b29d80a9ce0af5cb879417e6a3f6a238d88979c662

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

gz 2538979f8cedd47ad7f10112e1c8421c18b8019457d4fe0fb751ecaaba355987

NanoCore

Executable exe 93e44f3a49647573e0de42b29d80a9ce0af5cb879417e6a3f6a238d88979c662

(this sample)

  
Dropped by
MD5 ff287e0e24f4c3bd53a63f8a906f4e19
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/36479/
  
Dropped by
SHA256 2538979f8cedd47ad7f10112e1c8421c18b8019457d4fe0fb751ecaaba355987

Comments