MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5cffd780367ce051b550f171bdac33d5a4eba0b12acfac1bcfa63669c94104b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	f5cffd780367ce051b550f171bdac33d5a4eba0b12acfac1bcfa63669c94104b
SHA3-384 hash:	8d7ea059adc218d17aae214a87a3f4a0b4bd4e3a64189496a92105362a29dbe028b48eab5d43b113feb4fa9491e8cea4
SHA1 hash:	2839e995da54eca76acd3138c1a3f3663d93df81
MD5 hash:	0757361cb0940d08653963807aaa496a
humanhash:	bacon-jersey-cardinal-bacon
File name:	0759_08_07_20_REF3.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	730'624 bytes
First seen:	2020-07-08 06:52:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	927c37aff1985dca3a480112dcc5320c (11 x AgentTesla, 5 x NanoCore, 3 x Loki)
ssdeep	12288:LXjgbnMmIKCXsLIN4KKD6fpkR+ypsKtvP1QZTQC+ILopSxzbZJYUc3J3wozXzjhp:rkb4uLgpfpkZqbYUavXzjRt
Threatray	3'184 similar samples on MalwareBazaar
TLSH	B3F4BF22F7A14833C16316799D1B57B89836BE103D28B9862BE55C4C9F39383357AF93
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: ferrospg.com
Sending IP: 45.143.222.165
From: Sivakumar Vl [INDIA] <siva.kumar@vanguardlogistics.com>
Subject: REQUEST FOR QUOTE
Attachment: 0759_08_07_20_REF3.pdf.zip (contains "0759_08_07_20_REF3.exe")

NanoCore RAT C2:
wazzy.ddns.net:1716 (194.5.99.24)

Pointing to nVpn:

% Information related to '194.5.99.0 - 194.5.99.255'

% Abuse contact for '194.5.99.0 - 194.5.99.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.99.0 - 194.5.99.255
netname: INTER_CLOUD_SERVICES_RUSSIA
admin-c: ICTR1-RIPE
tech-c: ICTR1-RIPE
org: ORG-ICR2-RIPE
country: RU
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-07-20T20:42:53Z
last-modified: 2020-07-04T13:20:18Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/22885/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% directory

Launching a process

Deleting a recently created file

DNS request

Connection attempt to an infection source

Enabling autorun with Startup directory

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/f5cffd780367ce051b550f171bdac33d5a4eba0b12acfac1bcfa63669c94104b/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-08 06:53:08 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6xh726adm7hakg2vb4lrxwwdhvne5oqlckwpvqn47jrwnheucbfq._file

Verdict:

malicious

Label(s):

nanocorerat

hawkeyekeylogger

NanoCore

4dd90f817154b87c0269aabb51365dfa4c57896449642d178ad19891e52b5aff

NanoCore

70706e21df2777c92d5a20bf792b88d3152b05fab743d881b3a3311291da6f62

NanoCore

8e7d8dc49220d4ac88858ec8401d0d2b2a0c21d7b8e301c68de51e8a99238363

NanoCore

8eb3933e2012364a81fa9f1003c485c03c6cafd61eefaf1b4059cc8d4a4066a7

NanoCore

c24f35c4f744e2ab5aaa0c950506bc3c9753507848d9094a3359da507a96b861

NanoCore

c75fa16118d5d921d598bd9ff539426dcfd7aece03815e5be6414763ba72bda6

NanoCore

de77f2b2fe58ab75b2a6876cc9883d59330766559847223284d764b74d88df12

NanoCore

e83175d7d56084e7dde32b39f8d113f91ee1834890222dde4f987236a88b4165

NanoCore

ea9d8c28e623cbabc1407aa3da7a681adb93ef3e758fe31aaf664ff3998cddb5

NanoCore

+ 3'174 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200708-5laxablvx2/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

Checks whether UAC is enabled

UPX packed file

NanoCore

Malware Config

C2 Extraction:

wazzy.ddns.net:1716
194.5.99.24:1716

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/