MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f19e8ff99a9037ceaf1e4bb1c3ea78529c755fc6dd0be5f26fd8b7d1269d712b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f19e8ff99a9037ceaf1e4bb1c3ea78529c755fc6dd0be5f26fd8b7d1269d712b
SHA3-384 hash: 10b3b837230ed3bc0910554b04c71f505c1c3ab1883a0c9f5e14d84b1990b77cbcbd0d29697b7bbee39e1156d4fd4112
SHA1 hash: 521aec04d7ccf273ae7df9edff8d073398773367
MD5 hash: 4ac0175c3d3cf6f4cad74bb1bf8da361
humanhash: vegan-fix-pluto-december
File name:Doc_034_scan.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:871'424 bytes
First seen:2020-07-20 10:43:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:2DmnLglyh1q9I6/kldSCGDyaod+ik4g8y3SoDGzstRmWpw/6fUYyunYTKl6mrixl:2DmnLk+OPW2rEloD2svmr6f9yuSKl6u
Threatray 1'091 similar samples on MalwareBazaar
TLSH F805E0C83B40940DC49E1EBA5E52CD70D730AD46F6F2E34767C26E9E297E35BC905292
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: cloudhost-166907.us-midwest-1.nxcli.net
Sending IP: 104.207.254.60
From: VINCI S.A <sales@lisafashionblog.com>
Reply-To: VINCI S.A <cudillojapson@hotmail.com>
Subject: RE: NOUVELLE COMMANDE
Attachment: Doc_034_scan.r11 (contains "Doc_034_scan.exe")

NanoCore RAT C2:
williamfred.ddns.net:4983 (185.244.30.19)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-HU
country: HU
descr: Budapest, Hungary
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-07-17T11:52:57Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28945/
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391358
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248073 Sample: Doc_034_scan.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 39 williamfred.ddns.net 2->39 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 13 other signatures 2->51 9 Doc_034_scan.exe 5 2->9         started        12 MSBuild.exe 2 2->12         started        signatures3 process4 file5 29 C:\Users\user\AppData\Roaming\CibXhTEf.exe, PE32 9->29 dropped 31 C:\Users\...\CibXhTEf.exe:Zone.Identifier, ASCII 9->31 dropped 33 C:\Users\user\AppData\Local\...\tmp6469.tmp, XML 9->33 dropped 35 C:\Users\user\...\Doc_034_scan.exe.log, ASCII 9->35 dropped 14 MSBuild.exe 8 9->14         started        19 schtasks.exe 1 9->19         started        21 conhost.exe 12->21         started        process6 dnsIp7 41 williamfred.ddns.net 185.244.30.19, 49734, 49735, 49736 DAVID_CRAIGGG Netherlands 14->41 37 C:\Users\user\AppData\Roaming\...\run.dat, data 14->37 dropped 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->43 23 schtasks.exe 1 14->23         started        25 conhost.exe 19->25         started        file8 signatures9 process10 process11 27 conhost.exe 23->27         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f19e8ff99a9037ceaf1e4bb1c3ea78529c755fc6dd0be5f26fd8b7d1269d712b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 10:45:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6gpi76m2sa345ly6joy4h2tykkohkx6g3uf6l4tp3c35cju5oevq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
036c0fbb1ffb23e9bfd4b4834a396d79ec319078865adf3ef75418450cf9fd18
NanoCore
11e8dbf88b15aa6f09d5f7d9fffd3f333ec9a84b6bb9b9bb8c69dad6f5890603
NanoCore
24bbbef09b9e58d6da0fe8ae7dbfbc093dc5287cb26dc98e948684a1fc442642
NanoCore
3cb221973d52d12fc900f37496a9c5f77b30da63886a0f7d54111982c00e872b
NanoCore
3f9b2ff85d8fdeb4795e6cbee63e908cba9d205e835465ae80025a4d0d136c04
NanoCore
56a37f303bc905ace197941dcc0519f3880baffe10c6d3ecfc80bbff1aae9059
NanoCore
b2e9a56a20c71306ae8965955dfa780b868c5766f3ebb2f8e4c816a305711cdd
NanoCore
bfbb3994c6e4d6ae2d30921757d039e004d1f5274c314765e641bf111bc0dec7
NanoCore
e29e9d9beb5ce8187decf038cdc0b1d3102b4cfe43715a3b4f934098a943ebed
NanoCore
e607a54592bc86fd86e26145cba601bf2dc2e94ad19bcb0a14f09398468c8265
NanoCore
+ 1'081 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200720-43rtmf1aja/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
williamfred.ddns.net:4983
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f19e8ff99a9037ceaf1e4bb1c3ea78529c755fc6dd0be5f26fd8b7d1269d712b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar bab9dcc1f07e7b261dea4504011002dd142702c855bfdf95aad9e6c3dcc2e1af

NanoCore

Executable exe f19e8ff99a9037ceaf1e4bb1c3ea78529c755fc6dd0be5f26fd8b7d1269d712b

(this sample)

  
Dropped by
MD5 b87a27f0400c3fec8e927448a9f86ce0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28945/
  
Dropped by
SHA256 bab9dcc1f07e7b261dea4504011002dd142702c855bfdf95aad9e6c3dcc2e1af

Comments