MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cff3d5fedc8fdab09a7b27524a02503b53f4f7378ab0a09219701d3b9c3e68f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	cff3d5fedc8fdab09a7b27524a02503b53f4f7378ab0a09219701d3b9c3e68f4
SHA3-384 hash:	b4f88ad46bd22249e6c66787731fb0d4ae1b17344075bf2a68c48cb8d8bc80289d2b5d177c94ffc5c5a886dfc6d71809
SHA1 hash:	316f61f63f103bad9c1e861c8c5b7ba93dd2f17b
MD5 hash:	7e889f17508d95e56a1ee333fe79f593
humanhash:	cup-quiet-kansas-kilo
File name:	PAYMENTSLIP-TT COPY-XSLX.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	421'888 bytes
First seen:	2020-06-01 20:00:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:qamRurAiBV1ntZsaOSNgXAWcRdrAbgZ/nolT:q7RurAiBVvuaOKHWAW
Threatray	2'503 similar samples on MalwareBazaar
TLSH	E6949BEA717B500EF4C0AAFDA091A04C12A69C0D6C4DA26D5956A2B1C4FEF4D4F0FF36
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: unwto.org
Sending IP: 37.49.224.166
From: CEO-CFO <CEO.CFOmt@unwto.org>
Subject: qc@solidchannel.com DOWNLOAD AND PREVIEW ATTACHMENT S
Attachment: PAYMENTSLIP-TT COPY-XSLX.exe

NanoCore RAT C2:
drftybun.ddns.net:3702 (185.165.153.15)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-01 07:59:34 UTC

AV detection:

21 of 31 (67.74%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z7z5l7w4r7nlbgt3e5jeuasqhnj7j5zxrkykbeqzoaotxhb6nd2a._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

22525129004fbb8dbbc180fd0898cc33801cc75a9d6fc1072020ae12b4c2de88

NanoCore

2a519b0211dc12578b5de671417b3fdf630b27926f3eb9cc11855fc85972646d

NanoCore

483338a656b2a7bf095d9bf3ca950419f217acdb9812b3d0013ccc13785f305e

NanoCore

5e3140ed7841e6893114a0d4d9c5ee239736449aaba20d2c8939a051e5ef21c5

NanoCore

74e0eb3b39810ae2847ba2238bcf8fc178c187d7b783f865c262117d933f6d4c

NanoCore

83b1d755208da6440d8d5879378f6db6449ed5e33c18302b47a477ec85082dbd

NanoCore

9841eb92f550105bc744c34152086e2c6624e08b2a99c24c9084bdc7add30508

NanoCore

cdf7d9b74f5f5314bb7cb771a139b12ca61bc304e1afd3f2bbaeae1d844107ea

NanoCore

ee02d4480e7e74c5015af1c4617271afb1ea208b0992050726ae3bf44e268cec

NanoCore

+ 2'493 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore coreentity evasion keylogger persistence rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-xpd5lhb5re/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

rezer0

CoreEntity .NET Packer

NanoCore

Malware Config

C2 Extraction:

drftybun.ddns.net:3702
127.0.0.1:3702

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

exe cff3d5fedc8fdab09a7b27524a02503b53f4f7378ab0a09219701d3b9c3e68f4

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample