MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f28117cacfadab566b4b8f7e27b23d25f9b7cdc1428bcde1a0d4e473340efe6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	f28117cacfadab566b4b8f7e27b23d25f9b7cdc1428bcde1a0d4e473340efe6a
SHA3-384 hash:	774669ca36f429e8c8355afe53879c72c9ab5e6e1b7408ad82bb36c8243aca05037964a72d936cb828dbd3a467be8f9e
SHA1 hash:	689b0dfcdd27710850013971cc1cdd7ab7a8dacf
MD5 hash:	49df10de56b437cc7c7f431d9c745974
humanhash:	delaware-helium-oregon-fourteen
File name:	IMG_2020_00005.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	972'800 bytes
First seen:	2020-07-09 07:56:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e335e0f383b17202864efb975d29d538 (14 x AgentTesla, 6 x Loki, 3 x AZORult)
ssdeep	12288:UVDQmQK44+3gCiU24vBV3RpqTf5RqH+YalI3QmMTP/DsgeA974aeDNPk42E6JuN8:MkAVCi74LofeHXecQmiDXeObKJkHExy
Threatray	2'583 similar samples on MalwareBazaar
TLSH	9F257C22F3934472C062167D9D3B67B49826BE112E28BA4B7FF56C3C5E396403937297
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT Yahoo

abuse_ch

Malspam distributing NanoCore:

HELO: sonic301-1.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.129.40
From: Avadh Cotex <avadhcotex@yahoo.com>
Subject: purchase contract
Attachment: IMG_2020_00005.r02 (contains "IMG_2020_00005.exe")

NanoCore RAT C2s:
urualla.duckdns.org:3999 (192.169.69.25)
urualla3.duckdns.org:3999 (194.5.99.64)

Pointing to nVpn:

% Information related to '194.5.99.0 - 194.5.99.255'

% Abuse contact for '194.5.99.0 - 194.5.99.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.99.0 - 194.5.99.255
netname: INTER_CLOUD_SERVICES_RUSSIA
admin-c: ICTR1-RIPE
tech-c: ICTR1-RIPE
org: ORG-ICR2-RIPE
country: RU
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-07-20T20:42:53Z
last-modified: 2020-07-04T13:20:18Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23557/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

DNS request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Sending a TCP request to an infection source

Unauthorized injection to a system process

Enabling autorun with Startup directory

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/f28117cacfadab566b4b8f7e27b23d25f9b7cdc1428bcde1a0d4e473340efe6a/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-09 07:58:06 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6karpswpvwvvm22lr57cpmr5ex43ptobikf43yna2tshgnao7zva._file

Verdict:

malicious

Label(s):

nanocorerat

hawkeyekeylogger

NanoCore

2acf6c2398a12dc97ff2ceec4f348ed6338c4aafb2dcfeb24856cf8526d12a9d

NanoCore

3d59dd3243943e67cd98e96104d36c22925c7df238df3aeb804663893b102969

NanoCore

5e4da067908b56292fc2595a72378a091feccd8090b6ba186db4287c94a68680

NanoCore

76189982f3df9203548f9c9c005da310034b5c2f0d02f58de2a20e00ee26ed87

NanoCore

a97663c4fdf7f3cdf524888ec2952bb015e77484d50627e185e67c8846bd8660

NanoCore

cc829675a0e11138d47b42b5c19e45403d7d73731aac0c97ca8b2a0e37a960f8

NanoCore

ccacf8c63861f0b2498ab9d1c5e515376b65053ed230cb1d02d8be09b35f4b83

NanoCore

d1d26e5c1f43753746f62ef30a1ceaeb9c1309893999ffde6d1371db4e82ada8

NanoCore

e0d6344a846da96882dded2616661ce7b3f4011d05935c64d14e9ccf1a9965e2

NanoCore

+ 2'573 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200709-52yht2hzrn/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Drops startup file

Loads dropped DLL

Executes dropped EXE

UPX packed file

NanoCore

Malware Config

C2 Extraction:

urualla.duckdns.org:3999
urualla3.duckdns.org:3999

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/