MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7b022be326a3aa380e1bd55bde21fea8d7e0c59e037b7db2902c63b01bb6fda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7b022be326a3aa380e1bd55bde21fea8d7e0c59e037b7db2902c63b01bb6fda
SHA3-384 hash: 4ffe62f4b2052403aa3e828cd686332498fe5396062283be9771bc0380f6c5737842f51c6c302d93acc8fabc871ae71c
SHA1 hash: 284cfa267113705664cb92d08e1fb63fb1971f52
MD5 hash: 05b744421002a4587b942f2b86013e71
humanhash: florida-cat-butter-tango
File name:01032_7222020.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:892'416 bytes
First seen:2020-07-22 13:27:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e01edf6e44755e0328837b108f7966d (7 x AgentTesla, 5 x Loki, 3 x NanoCore)
ssdeep 12288:0Q/ena6F83r+bPrsdB0L0gazjJsJNulttShwmAl3bIqhvZjYBHTcaGL:3aaFabDs7btHlttqwmolviYXL
Threatray 3'252 similar samples on MalwareBazaar
TLSH 99159F66F1934833C562DA3C8D5BB678982ABE111A197A476BF44F4C9F3E24338352D3
Reporter James_inthe_box
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31179/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.11988.27959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/395097
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249906 Sample: 01032_7222020.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 105 Found malware configuration 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 Multi AV Scanner detection for dropped file 2->109 111 13 other signatures 2->111 12 01032_7222020.exe 2->12         started        15 wpasv.exe 2->15         started        17 01032_7222020.exe 2->17         started        19 wpasv.exe 2->19         started        process3 signatures4 121 Detected unpacking (changes PE section rights) 12->121 123 Detected unpacking (creates a PE file in dynamic memory) 12->123 125 Detected unpacking (overwrites its own PE header) 12->125 127 Contains functionality to detect sleep reduction / modifications 12->127 21 01032_7222020.exe 1 14 12->21         started        26 01032_7222020.exe 12->26         started        129 Maps a DLL or memory area into another process 15->129 28 wpasv.exe 15->28         started        30 wpasv.exe 3 15->30         started        32 01032_7222020.exe 17->32         started        34 01032_7222020.exe 3 17->34         started        36 wpasv.exe 19->36         started        38 wpasv.exe 19->38         started        process5 dnsIp6 103 dera118.hopto.org 185.140.53.135, 49719, 49720, 49721 DAVID_CRAIGGG Sweden 21->103 93 C:\Program Files (x86)\...\wpasv.exe, PE32 21->93 dropped 95 C:\Users\user\AppData\Roaming\...\run.dat, data 21->95 dropped 97 C:\Users\user\AppData\Local\...\tmpD237.tmp, XML 21->97 dropped 99 C:\...\wpasv.exe:Zone.Identifier, ASCII 21->99 dropped 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->119 40 schtasks.exe 1 21->40         started        42 schtasks.exe 1 21->42         started        44 wpasv.exe 28->44         started        47 01032_7222020.exe 32->47         started        101 C:\Users\user\...\01032_7222020.exe.log, ASCII 34->101 dropped 49 wpasv.exe 36->49         started        file7 signatures8 process9 signatures10 51 conhost.exe 40->51         started        53 conhost.exe 42->53         started        131 Maps a DLL or memory area into another process 44->131 55 wpasv.exe 44->55         started        57 wpasv.exe 44->57         started        59 01032_7222020.exe 47->59         started        61 01032_7222020.exe 47->61         started        63 wpasv.exe 49->63         started        65 wpasv.exe 49->65         started        process11 process12 67 wpasv.exe 55->67         started        70 01032_7222020.exe 59->70         started        72 wpasv.exe 63->72         started        signatures13 113 Maps a DLL or memory area into another process 67->113 74 wpasv.exe 67->74         started        76 wpasv.exe 67->76         started        78 01032_7222020.exe 70->78         started        80 01032_7222020.exe 70->80         started        82 wpasv.exe 72->82         started        84 wpasv.exe 72->84         started        process14 process15 86 wpasv.exe 74->86         started        89 01032_7222020.exe 78->89         started        signatures16 115 Maps a DLL or memory area into another process 86->115 117 Sample uses process hollowing technique 86->117 91 01032_7222020.exe 89->91         started        process17
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a7b022be326a3aa380e1bd55bde21fea8d7e0c59e037b7db2902c63b01bb6fda/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 13:01:17 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6ycfprsni5khahbxvk33yq75kgx4dcz4a33pwzjalddwan3n7na._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
02a3cf916211a06c79f7f785d925d76a6f0c1ea946c03c475048c1dc78d338ce
NanoCore
13401ed6c28248a7b90b62de52d902972a9c0b72e2e19aded928988e2c9c4503
NanoCore
35a94d699b3b76654146147d5049a618067f3c2081f0b90d28f2b0cb4baf9df1
NanoCore
8948e4e0f392197b1c1436e5f7a2a7bc326c849b6129d8cf287a6d6a03cd642e
NanoCore
a14f4263c002e77e88fa98957e19288e2076ad78d83c2247617f1a209d55a7a7
NanoCore
a3f262fc5001f20e6d8fdf3bc436febffa5f4065eec8463bdd767efa2c3f445b
NanoCore
a932257a2967d22fd7478319f19297485c631cd24990804be1e27752bc5549e5
NanoCore
ab986524b5bf9434296a01cba5f2c36ba731946e8e39b6ff362c3a7ce7483353
NanoCore
b4c84cf915c0f29a82c0fa8d9e7c7940338ebedf458ce7d4b187935bd5ba9e82
NanoCore
d371f4d1ca41860654d8b400e4162fc379c05c31778f5bb4cbb653766f5be3db
NanoCore
+ 3'242 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx persistence evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200722-jmtezd1mge/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
UPX packed file
NanoCore
Malware Config
C2 Extraction:
dera118.hopto.org:7031
185.140.53.135:7031
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7b022be326a3aa380e1bd55bde21fea8d7e0c59e037b7db2902c63b01bb6fda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/31179/

Comments