MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aee0158a9f836306b64e6c99e732073aa81fe23944c91a3d0fcf9a92508019ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	aee0158a9f836306b64e6c99e732073aa81fe23944c91a3d0fcf9a92508019ec
SHA3-384 hash:	47b35c1328027f6b1c0104c8d779b04eea05d3b7ef65f6f6f4292f831801cf2196e30cc7befeef05dac1fbd291db67c1
SHA1 hash:	351fa6cb3783866462d8775e546eb8aef2d1da3f
MD5 hash:	51419d0dbc446c8dc61aedfaa6712a5b
humanhash:	oscar-uncle-single-victor
File name:	hhhesda.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'052'672 bytes
First seen:	2020-06-29 12:21:01 UTC
Last seen:	2020-06-29 13:12:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9a5cc778d0f4132de3891c04833334e8 (9 x AgentTesla, 3 x Loki, 2 x NanoCore)
ssdeep	12288:YjnGLjIup+Q67pPhPc3IAMXOvIHoFdDRVmqOJ1UVSxk+AIWNDoKj3gbQZwQ:YjoUuGNhPc3uOIoScVSO5n3w9Q
Threatray	2'799 similar samples on MalwareBazaar
TLSH	9A258E2EF28E5433E1F296389C3B5275983ABD103D2858466BE5CD6C5F396C338352A7
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: mail.strongmailvault.com
Sending IP: 111.90.144.75
From: Waleed Rashid <office@jinpao.us>
Reply-To: info.farapan19@gmail.com
Subject: Order confirmation needed PO-TSP-732
Attachment: PO-TSP-7320051.IMG (contains "hhhesda.exe")

NanoCore RAT C2:
79.134.225.75:21600

Hosted on nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/16257/

Detection(s):

PUA.Win.Adware.Webalta-6854075-0

PUA.Win.Adware.Webalta-6862190-0

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/aee0158a9f836306b64e6c99e732073aa81fe23944c91a3d0fcf9a92508019ec/

Threat name:

Win32.Infostealer.PonyStealer

Status:

Malicious

First seen:

2020-06-29 12:22:06 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=v3qblcu7qnrqnnsonsm6omqhhkub7yrziterupipz6njeueadhwa._file

Verdict:

malicious

Label(s):

nanocorerat

hawkeyekeylogger

emotet

NanoCore

24fe76a4e6cd5623f2326d2f43de09b9b6f4de236e80ea5aca50b76da888c0af

NanoCore

3ec241071c7e4652915d56d349936696967e54a34d4943a51bdb20a91893331b

NanoCore

68101d145825fc980210f1f56638011d98eeaf5c53fb734b62a80dac6489f2e3

NanoCore

89ceb49c67e4f8f715b9eef4ad2b1fcac135da2560072c5f3449273f08a7f7bb

NanoCore

90474a0270106b33e3208a63041d2e4d013b1d2b415bf3bf44e9a5ab685d0531

NanoCore

a4d6c0a909365bd89fdf812fbb75f92edc06fcd2a9a7b3c6d9b553ffe124858f

NanoCore

be1a45ae85bb530727a5e96d3dc19eeb0542991ddb5a747b93665b4599c70ea0

NanoCore

c70637a7eb05b36175b101211cda02663eeefff3ea85b0742c5be6f7badd0a75

NanoCore

e1bf95bd96a59075ac24eec7c47b3142361ea79c1fb68e2b6039212fba523449

NanoCore

+ 2'789 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore persistence

Link:

https://tria.ge/reports/200629-fckb5hbm4a/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run entry to start application

UPX packed file

NanoCore

Malware Config

C2 Extraction:

79.134.225.75:21600

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/