MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf2ae6336471a78f6df77e11aaf70256bbdf16c64392c615e1ab2b3fbacce71a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	cf2ae6336471a78f6df77e11aaf70256bbdf16c64392c615e1ab2b3fbacce71a
SHA3-384 hash:	6b62639fb92d632a26ebc91aaa987be7dce46594634bfe403ed5f316efef53e202878f4e07e4585adf178600e43f202c
SHA1 hash:	fb099d313940d898f9fb33ff7bd3dafbda5970cb
MD5 hash:	d11f92febc46e5fe80a067dc76fef923
humanhash:	august-yankee-queen-stream
File name:	d11f92febc46e5fe80a067dc76fef923.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	626'688 bytes
First seen:	2020-07-02 12:14:42 UTC
Last seen:	2020-07-02 12:52:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:93t+8kUPUw5Yv6ivq3zjg38qKi/Y794vK67rsZ:PtQQ3rqKiw794vK67AZ
Threatray	1'133 similar samples on MalwareBazaar
TLSH	AAD40219BBD89626C8DE8A34D915D332037A7F13690BDF123EC0BD4B79B32E39502956
Reporter	abuse_ch
Tags:	exe NanoCore RAT

abuse_ch

NanoCore RAT C2:
mogs20.hopto.org:1085 (185.244.30.251)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@FOS-VPN.org'

inetnum: 185.244.30.0 - 185.244.30.255
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: 185.244.30.0/24 belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
country: EU
org: ORG-SL751-RIPE
admin-c: SL12644-RIPE
tech-c: SL12644-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-06-03T09:20:12Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/18435/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WOX.12822.UNOFFICIAL

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/cf2ae6336471a78f6df77e11aaf70256bbdf16c64392c615e1ab2b3fbacce71a/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-07-02 12:16:05 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z4vomm3eogty63pxpyi2v5yck2556fwgiojmmfpbvmvt7owm44na._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

258856f05819789b47e0bed58b1df479976a355cd30b953b23f9e2f5d286578a

NanoCore

266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34

NanoCore

49734ef67be2f2a71545820ed6258683d03a9aa3a97db586aea7d148090b4fa4

NanoCore

55374abf463b7c308310fc62d2d25da0059234c002669bae24a710cf695be746

NanoCore

8caedefa8cf9273522057503dc8c9cabeaea4eb113a612040f1da56f8d85dbbf

NanoCore

c660d1d93adc735a9a5c59d18eecf6c4124b4e32b3a704bb754e490a2bf5eb35

NanoCore

d177132fa7941febe11431bb8dd897e86464eaac755b8e693ceba29be0f90afa

NanoCore

f1fddc0cfd9632772ba10b059d83a1bb34b01a81766e61804bc39ca3898c5211

NanoCore

f871edec5f55a385ddd9ec0223795927f2a83a57793a4d40592fa6d167ecc5ec

NanoCore

+ 1'123 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

persistence evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200702-llhtkqs3dn/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run entry to start application

NanoCore

Malware Config

C2 Extraction:

mogs20.hopto.org:1085
185.244.30.251:1085

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/