MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcfbd97a36604b87573118a94eb16adfa19d2d13f731565120b6f17a6845dda7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	fcfbd97a36604b87573118a94eb16adfa19d2d13f731565120b6f17a6845dda7
SHA3-384 hash:	b370ff809382efbafc97684653719e85929e23d3e7efbfda8150856bb8a16f95c6ddc7b0c7842ee6ecc1d6e041202855
SHA1 hash:	c6dc3182f9b7000d99c1b1055e32bb9a800887d6
MD5 hash:	ba68f5428619cf1da97b225983d6930c
humanhash:	emma-nitrogen-seventeen-florida
File name:	NEW ORDER.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	482'816 bytes
First seen:	2020-08-19 11:32:50 UTC
Last seen:	2020-08-19 12:45:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:UnXZL94IaxPOi9YuKGreW+ZE+tTm8hopytWnnhN3Hx9s0gd8bf:UXl94IaHquKenQE+tKfytWnTR9h5bf
Threatray	1'094 similar samples on MalwareBazaar
TLSH	99A412136A28AF36F65C6BBC02711107A7F6D1269723DB2FBFC9908E2557F4183C0A59
Reporter	abuse_ch
Tags:	Endurance exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: 162-241-214-233.unifiedlayer.com
Sending IP: 162.241.214.233
From: roadtriip25@gmail.com
Subject: NEW ORDER
Attachment: NEW ORDER.ARJ (contains "NEW ORDER.exe")

NanoCore RAT C2:
79.134.225.84:1985

Hosted on nVpn:
% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

153

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/48464/

Detection(s):

SecuriteInfo.com.Trojan.Nanocore.567.1349.9125.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Creating a file in the %AppData% subdirectories

Creating a file in the Program Files subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending a TCP request to an infection source

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Threat name:

Nanocore MailPassView

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/437738

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Binary contains a suspicious time stamp

Detected Nanocore Rat

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected MailPassView

Yara detected Nanocore RAT

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/fcfbd97a36604b87573118a94eb16adfa19d2d13f731565120b6f17a6845dda7/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-08-18 22:07:00 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7t55s6rwmbfyovzrdcuu5mlk36qz2lit64yvmujaw3yxu2cf3wtq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

32e87ba877bda7e78b9d5c772d7e5a420c375db21b48a0de7275b5311f58aa92

NanoCore

484e5bc2876eee8716634dbdb497aa5df345e2a489a6c75f8ec2acbb4bbdc0be

NanoCore

70adcf8ee223dbe448d85361bb3c3c94d906fd176ceb172e6edaa45d25209e3e

NanoCore

75452ea0fb7435cc2137e8a7c274a65f93a4898fc4e57ec3196c1720b4a9f9cc

NanoCore

855e85de489ded4ca8e543cb8323c2d91e88c0e9d6ffe1c490f6133190c4d6c5

NanoCore

a88a46932f47eec272474435c082a4bc552a13e41dee13ae9c140f20d119fc40

NanoCore

b0fade864cb32de9110f513837a4e6b59e39ac4bf8bd7a3e0fbf54c305e4d006

NanoCore

d3d2a5f1c622f67d7d1fb4a897e45b3daf5a41a1867219f71dec53131dff58b6

NanoCore

fc87f06a5699c35bd0fd808b51c0b0558f112e5bb0158d7553a07456d3cd4ffc

NanoCore

+ 1'084 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

keylogger trojan stealer spyware family:nanocore persistence

Link:

https://tria.ge/reports/200819-c1l3fzv2ba/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

NanoCore

Malware Config

C2 Extraction:

79.134.225.84:1985

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NanoCore

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fcfbd97a36604b87573118a94eb16adfa19d2d13f731565120b6f17a6845dda7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/