MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93e44f3a49647573e0de42b29d80a9ce0af5cb879417e6a3f6a238d88979c662. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: 93e44f3a49647573e0de42b29d80a9ce0af5cb879417e6a3f6a238d88979c662
SHA3-384 hash: 65fbd0a8036fad00e438792ac7c4119600669d59af3ec6d3720cab525abb6b92acf28446b5090f33dacc2e3b322cb59b
SHA1 hash: 99fe057c3bc249bcc23be977c5fc694eeb437566
MD5 hash: af2b7dc34bb7a628d97a909ae54159a1
humanhash: cold-purple-lake-timing
File name:Bank Swift_7312020_PDF.exe
Download: download sample
Signature NanoCore
File size:734'720 bytes
First seen:2020-07-31 12:01:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e94294aa486edca6180033051104c39
ssdeep 12288:B1i+/Z6i2pC138ktn6gCA4iFsrnTp1zPgcER7zu8WQfQDO4eEC5UAYrgJ:TNZopgQgY2O9IcERn5pQDEEtAz
TLSH C2F4AFF6B2D05433C26F36F98C0B976CA836BE10DA2914862BF50C4F9FF968135E5196
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: symetree.com
Sending IP: 95.211.208.25
From: Accounts <salesdesk@symetree.com>
Subject: Bank Swift
Attachment: Bank Swift_7312020_PDF.gz (contains "Bank Swift_7312020_PDF.exe")

NanoCore RAT C2:
79.134.225.71:1990

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
30
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
Nanocore
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255351 Sample: Bank Swift_7312020_PDF.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Sigma detected: Scheduled temp file as task from temp location 2->94 96 12 other signatures 2->96 10 Bank Swift_7312020_PDF.exe 2->10         started        13 Bank Swift_7312020_PDF.exe 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        process3 signatures4 100 Maps a DLL or memory area into another process 10->100 19 Bank Swift_7312020_PDF.exe 1 14 10->19         started        24 Bank Swift_7312020_PDF.exe 10->24         started        26 Bank Swift_7312020_PDF.exe 13->26         started        28 Bank Swift_7312020_PDF.exe 3 13->28         started        30 dhcpmon.exe 15->30         started        32 dhcpmon.exe 3 15->32         started        34 dhcpmon.exe 17->34         started        36 dhcpmon.exe 2 17->36         started        process5 dnsIp6 86 79.134.225.71, 1990, 49721, 49724 FINK-TELECOM-SERVICESCH Switzerland 19->86 76 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->76 dropped 78 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 19->78 dropped 80 C:\Users\user\AppData\Local\...\tmpFBA9.tmp, XML 19->80 dropped 82 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->82 dropped 98 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->98 38 schtasks.exe 1 19->38         started        40 schtasks.exe 1 19->40         started        42 Bank Swift_7312020_PDF.exe 26->42         started        84 C:\Users\...\Bank Swift_7312020_PDF.exe.log, ASCII 28->84 dropped 45 dhcpmon.exe 30->45         started        47 dhcpmon.exe 34->47         started        file7 signatures8 process9 signatures10 49 conhost.exe 38->49         started        51 conhost.exe 40->51         started        102 Maps a DLL or memory area into another process 42->102 53 Bank Swift_7312020_PDF.exe 42->53         started        55 Bank Swift_7312020_PDF.exe 42->55         started        57 dhcpmon.exe 45->57         started        59 dhcpmon.exe 45->59         started        61 dhcpmon.exe 47->61         started        63 dhcpmon.exe 47->63         started        process11 process12 65 Bank Swift_7312020_PDF.exe 53->65         started        68 dhcpmon.exe 57->68         started        signatures13 88 Maps a DLL or memory area into another process 65->88 70 Bank Swift_7312020_PDF.exe 65->70         started        72 Bank Swift_7312020_PDF.exe 65->72         started        74 dhcpmon.exe 68->74         started        process14
Threat name:
Win32.Trojan.DataStealer
Status:
Malicious
First seen:
2020-07-31 12:03:08 UTC
AV detection:
21 of 31 (67.74%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
UPX packed file
NanoCore
Malware Config
Extraction:
79.134.225.71:1990
Threat name:
Trojan
Score:
1.00

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 93e44f3a49647573e0de42b29d80a9ce0af5cb879417e6a3f6a238d88979c662

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments