MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f728252169da3a6dc69cd201835230c017ce37c9a9cd06c1e7daa3153ebc6f80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f728252169da3a6dc69cd201835230c017ce37c9a9cd06c1e7daa3153ebc6f80
SHA3-384 hash: 36e240d1b2cf8f5db02c8a9ab00a04cd9a48907b3ba659874bea5a017da7d0a2142ae338d19750406d8d63ce96794549
SHA1 hash: 385952cc0201d064322179a2c25cdd1e80a5acd8
MD5 hash: 91525a4a2e396ba3f30e5b583ce3a7ad
humanhash: enemy-oscar-mars-undress
File name:Información confidencial de entrega Chile AD0AhFnh2020.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:404'480 bytes
First seen:2020-06-18 18:44:08 UTC
Last seen:2020-06-18 20:02:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:RNESZEgn05KWr/FNS90NhYroTgho7TWd6r12iN:RNEPc9WrNfoMXWe11
Threatray 1'108 similar samples on MalwareBazaar
TLSH EE84131D3794C935DAECD3F4A6B50A604BB996077A03EB2F4BB8A0F95AB33154210773
Reporter abuse_ch
Tags:COVID-19 exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: dedicated.fco.pt
Sending IP: 151.236.46.67
From: ChilePost <no-reply@posta.hu>
Subject: Rv:Aviso de entrega
Attachment: Información confidencial de entrega Chile AD0AhFnh2020.arj (contains "Información confidencial de entrega Chile AD0AhFnh2020.exe")

NanoCore RAT C2:
duckmeat.duckdns.org:5626 (194.5.98.28)

Pointing to nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.98.0 - 194.5.98.255
netname: Privacy_Online
descr: Longyearbyen, Svalbard und Jan Mayen
country: SJ
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-04-26T16:42:54Z
last-modified: 2020-03-13T23:11:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19846/
Detection(s):
SecuriteInfo.com.Artemis91525A4A2E39.20997.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-18 18:16:41 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=64uckilj3i5g3ru42iaygurqyal44n6jvhgqnqph3krrkpv4n6aa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
02b60a23298127408b70ac29f643ffa7c0acaf3fe359cb2a1e44fd6eb9680c64
NanoCore
140902e2a23240a35b3e72be9c0878d18c2a7b4780feab213cbcc03156804c05
NanoCore
29dbd904452edf79122808dfb4810fcf8d089b8e298f68d48497c4b82ebcb1b1
NanoCore
3465a87f7c026e390a862f5d4b638745f80fa24a5ef94998e2f5c1818dd0bc15
NanoCore
515a2c1a3b19f636a6bf97af416d1d7c07e4780a51e4976e72bdb408f8379521
NanoCore
60c933d92c32bb887976e0b949092fd822643d445b79a3289eb548866e35ea09
NanoCore
8275f526465d7b9d806b1be78d895d7f499044b456be1aec36b8cac8188890ac
NanoCore
94256300bb5d96beb391b09190f0fa3d3daf4965d3288655acccd42382edc0c4
NanoCore
ee02d4480e7e74c5015af1c4617271afb1ea208b0992050726ae3bf44e268cec
NanoCore
fe9732838a0e6bcbf67213e7fd8bd7ca5e9b35a27041c50b74ca26bb08133fbd
NanoCore
+ 1'098 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200624-qjrx36xdpx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks whether UAC is enabled
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NanoCore
Malware Config
C2 Extraction:
duckmeat.duckdns.org:5626
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj a8c3d37226a81628b4647e17a2c8fed507505a2854ec3f7b7a28be5ecdae42f9

NanoCore

Executable exe f728252169da3a6dc69cd201835230c017ce37c9a9cd06c1e7daa3153ebc6f80

(this sample)

  
Dropped by
MD5 f6e251278680f0f2b52e9eda6edf2137
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a8c3d37226a81628b4647e17a2c8fed507505a2854ec3f7b7a28be5ecdae42f9
Cape
Cape
https://www.capesandbox.com/analysis/19846/

Comments