MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e50f294da86ca74a28ab00ef44e48d7c0374f4a33e2ed436f9a4ed4e6a01e9b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	e50f294da86ca74a28ab00ef44e48d7c0374f4a33e2ed436f9a4ed4e6a01e9b9
SHA3-384 hash:	45e37c8f486bce8d02caed32d05c1cb24e0d4814e97073d56bf9dd79f48e135e31373bbe40cac35bf30f64aef3d3f5b5
SHA1 hash:	c2a8491a8840c92d7725c41c104cbed97900a850
MD5 hash:	b3dd5f1333d92f98738eaaad8b0c4c22
humanhash:	oregon-eleven-spring-sierra
File name:	Invoice#441098.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	502'784 bytes
First seen:	2020-07-07 05:43:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:TqfZykNN33F1QU+BHtCO79CqFSp9UXnYIoZogEa:nU+xBgqAp9tIoZl
Threatray	1'599 similar samples on MalwareBazaar
TLSH	18B49D75B126AEE7CA3E08F4800028414FB5A89726EDE3D97DC270DA85C5FC09E957B7
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: zimbra.fcjcorp.com
Sending IP: 54.190.177.146
From: Customer Service <pedro.henrique@medbeta.com.br>
Reply-To: noreply@accounts.com
Subject: Please see attached invoice
Attachment: Invoice441098.img (contains "Invoice#441098.exe")

NanoCore RAT C2:
u852121.nvpn.to:3410 (91.192.100.17)

Pointing to nVpn:

% Information related to '91.192.100.1 - 91.192.100.63'

% Abuse contact for '91.192.100.1 - 91.192.100.63' is 'abuse@libertas-international.eu'

inetnum: 91.192.100.1 - 91.192.100.63
netname: LIBERTAS_NETWORK
remarks: ----------------------------------------------
remarks: Libertas Network is a VPN service provider.
remarks: We have a strict non-logging policy, therefore
remarks: we don't record any logs on our servers.
remarks: ----------------------------------------------
country: CH
admin-c: LNAD1-RIPE
org: ORG-LNVS1-RIPE
tech-c: LNAD1-RIPE
status: ASSIGNED PA
mnt-by: MNT-DA327
created: 2019-12-12T08:51:11Z
last-modified: 2020-02-10T07:01:46Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Nanocore

Link:

https://www.capesandbox.com/analysis/21814/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file in the %AppData% subdirectories

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Forced shutdown of a system process

Enabling autorun with Startup directory

Unauthorized injection to a system process

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/e50f294da86ca74a28ab00ef44e48d7c0374f4a33e2ed436f9a4ed4e6a01e9b9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-07 05:45:05 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4uhsstninstuukfladxujzenpqbxj5fdhyxninxzutwu42qb5g4q._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

353be7f64ffa25bf3d8ea90b55b9b288633883f00f328841007f82324a37a4d7

NanoCore

37733872a7d58215f79223dd43b1a92877f768bd1344d0570f2fe74ab4db520b

NanoCore

54b13451934452d59e08b8d8d07d28259264149ef5dde0a3ee57a948aad8d7a0

NanoCore

68cc2dbe766234de0ce7f8853b2526bc8fa7194c106f0cecd55683e297d3764f

NanoCore

7369dcfec21741f712f75662e29752b6a55fcacd1fbf76b9948d40b82e89b9a0

NanoCore

891ab6a3b8d3a6f3d8fa8b7bd6499c9f63f73501ea0af12ab8ede86d2d6635be

NanoCore

c6be88731d6b6921aa6b8931ccad19bd0b1028c9c2e03b7d9d6245d6cc5d6271

NanoCore

cdf43e36edf4aaa17906bf552cd65351d9b6e66a77356f91cd819874cf531e03

NanoCore

d63293a1c8b19e0a042d92655ffa095412af2804a2523b31cfeb4e11e1fb772a

NanoCore

+ 1'589 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200707-56njc6vlsn/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

u852121.nvpn.to:3410

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/