MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aec83b31afe9607016c7698162d85240a7a17d5399b99bb92572fa36f173e738. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aec83b31afe9607016c7698162d85240a7a17d5399b99bb92572fa36f173e738
SHA3-384 hash: 338842637fd2137283754fd76ffd7bacf4eaf5519e9af8474976c7b6857694746991c9f502604991e01530e52887a123
SHA1 hash: a4d77ad18270631ec7df98d011337c9dd21bc404
MD5 hash: 8ba767f894b7c87c19f70276a618c875
humanhash: edward-monkey-colorado-single
File name:INQ_PzAEsxHLDOgM.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:795'648 bytes
First seen:2020-07-16 06:59:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cr530Z2k4zUtaJFdzK/XddGH3biVDOALg1lDynV8uCPmlGOr74qhzKS21s8LeSGl:cr5oQFEVdeLi0AL0lDy80Foi
Threatray 4'365 similar samples on MalwareBazaar
TLSH 2605BECC3550759EC81E8D768994DC70A6202D62F7FBE20763C36E9F793D687DA042A2
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: server.kibriswebtasarimi.com
Sending IP: 176.9.21.149
From: ivy <ivy@hunantube.com>
Subject: ERW Pipes, Fittings Inquiry
Attachment: INQ_PzAEsxHLDOgM.r00 (contains "INQ_PzAEsxHLDOgM.exe")

NanoCore RAT C2:
79.134.225.85:2468

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26413/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.12910.30513.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389369
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246862 Sample: INQ_PzAEsxHLDOgM.exe Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 9 other signatures 2->60 9 INQ_PzAEsxHLDOgM.exe 1 2->9         started        13 wpasv.exe 1 2->13         started        15 INQ_PzAEsxHLDOgM.exe 2->15         started        17 wpasv.exe 2->17         started        process3 file4 50 C:\Users\user\...\INQ_PzAEsxHLDOgM.exe.log, ASCII 9->50 dropped 64 Injects a PE file into a foreign processes 9->64 19 INQ_PzAEsxHLDOgM.exe 1 12 9->19         started        24 INQ_PzAEsxHLDOgM.exe 9->24         started        26 wpasv.exe 2 13->26         started        28 wpasv.exe 13->28         started        30 INQ_PzAEsxHLDOgM.exe 2 15->30         started        signatures5 process6 dnsIp7 52 79.134.225.85, 2468 FINK-TELECOM-SERVICESCH Switzerland 19->52 42 C:\Program Files (x86)\...\wpasv.exe, PE32 19->42 dropped 44 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->44 dropped 46 C:\Users\user\AppData\Local\...\tmp3C5F.tmp, XML 19->46 dropped 48 C:\...\wpasv.exe:Zone.Identifier, ASCII 19->48 dropped 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->62 32 schtasks.exe 1 19->32         started        34 schtasks.exe 1 19->34         started        file8 signatures9 process10 process11 36 conhost.exe 32->36         started        38 conhost.exe 34->38         started        process12 40 wpasv.exe 36->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aec83b31afe9607016c7698162d85240a7a17d5399b99bb92572fa36f173e738/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 07:00:10 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v3edwmnp5fqhafwhngawfwcsict2c7kttg4zxojfol5dn4lt444a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
04d57be00e1edddcfd5cd6088b4eec44591c6f0a5f9e6a13b9f90e66a24ccc25
NanoCore
17481cdb2d9566e16b46d94992aaf665bc2414c67777b27ad8714904b46fb341
NanoCore
305eb08e59ef7e93a40e6eb8edf0c4a336ff54bfc07cac69d1744c949f53757e
NanoCore
3e0a5536a96d3ea0b97b034c193bcb933f2dd8dfc8e159915951ab3842630b20
NanoCore
4291277336e3c27f2cc05278635f7724fa2ff4af06a547ca5a04ac91c3d71fa0
NanoCore
67fef2f83af3da398f5e144ccc65e18d7d30b57f53d94658cd62fe53d5e3d81b
NanoCore
91ec8e2e85917775a7055500c887bf49371679f772bd917c69dfb2b628f4a680
NanoCore
953b28fd61cb8eb78e1fca699aead009a12bb5a0a6a8d42b0447cbe2bf828143
NanoCore
a6fa24e0210cf4e792b983adf65416871b6a4792fbd5ba3ccaf15484159c776b
NanoCore
a9e29436ef50f76f0d8c46e62205491e8acbea0e22f38fcbd5d38719264897d1
NanoCore
+ 4'355 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
persistence evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200716-5s2ldclvzj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
79.134.225.85:2468
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

r00 0039f262a5c0135ba3ea10a5b25227eecb872b54cc947fb3098764c934bde347

NanoCore

Executable exe aec83b31afe9607016c7698162d85240a7a17d5399b99bb92572fa36f173e738

(this sample)

  
Dropped by
MD5 ed10a14c807b11c93980ec853b523fb0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0039f262a5c0135ba3ea10a5b25227eecb872b54cc947fb3098764c934bde347
Cape
Cape
https://www.capesandbox.com/analysis/26413/

Comments