MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fddbfcd2f4497ffd75f9f1be1619ba4cf5a5ca99df6eb888216e2e0f2bec7990. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fddbfcd2f4497ffd75f9f1be1619ba4cf5a5ca99df6eb888216e2e0f2bec7990
SHA3-384 hash: f6b1c01f7ba79d89539f66223bc3a4f9600c00b60754042dc91f250139cc1864496e9b256facac9d19bc5a6cf88ae1c1
SHA1 hash: 055ef53b8e264b99d0dc2755db8846dda179e482
MD5 hash: 492e185e7662e6a2ee670815bb10bef4
humanhash: earth-edward-mango-equal
File name:inquiry.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'076'224 bytes
First seen:2020-08-31 09:20:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 73ae1eef07955a270fc7a7f873444c85 (16 x AgentTesla, 8 x MassLogger, 5 x Loki)
ssdeep 12288:IR/MXPsQjiTiCAeeJpWkjumgIvSQCutDEVFbtir4247AQrns/FInvzgUvnFDhnE3:+QvrCXEucruic247nrns/izRvnhhahB
Threatray 1'101 similar samples on MalwareBazaar
TLSH 5A358D62F2924437D1732A389C5B57B49C3ABE006D2868467BE9DDCC4FF928139352E7
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: ns.tokyoconsultinggroup.com
Sending IP: 211.1.230.102
From: ADMIN <vu.h.my@tokyoconsultinggroup.com>
Reply-To: roadtriip25@gmail.com
Subject: updated inquiry
Attachment: inquiry.arj (contains "inquiry.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53345/
Detection(s):
PUA.Win.Adware.Webalta-6854075-0
Create hunting rule

PUA.Win.Adware.Webalta-6862190-0
Create hunting rule

PUA.Win.Adware.Webalta-6879873-0
Create hunting rule

SecuriteInfo.com.Trojan.DownLoader34.29944.17906.10656.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/455108
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fddbfcd2f4497ffd75f9f1be1619ba4cf5a5ca99df6eb888216e2e0f2bec7990/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 03:25:03 UTC
AV detection:
20 of 48 (41.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7xn7zuxujf7725pz6g7bmgn2jt22lsuz35xlrcbbnyxa6k7mpgia._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
121cba7566201217f8725044bc4e51283b873305c5e84b9e1623313cefa5fe4b
NanoCore
4d27b24408ccaed59ba5977e7e7309fc42fc9964bc4e3d4cd3ac363f1b539454
NanoCore
611656c80c7c9b32e24f770d70ba8488cd2b4079b35f7308fd4261d06480ec3f
NanoCore
757f7141daf24169ff3694cdf0247b7ce0b71c66a970837a71149a69b5b6d371
NanoCore
99fa917c6f97756ac7ced3ca06142728178550f72be70326ab30420fd4e9797e
NanoCore
ad660d774f78137622d038976557c8782211dbfd39d2ff9a7a4bcc9279ba0f41
NanoCore
d169af713aac6178816694e1006b2e9f6411687fb13ed0402792222d380624f1
NanoCore
edea4daffcfebbb11f70cfa4fdcc38c85eeb8de82fe6be10e41efb520f7c7496
NanoCore
f484f2e953d9571e035e86dd89c82755ce0684fddd30b3d41bac21ac65f0cff4
NanoCore
f973277a035ffef0b6da3768b836cb041895b7db7d9af0e89dbd2af3a55b3dfe
NanoCore
+ 1'091 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx keylogger trojan stealer spyware family:nanocore persistence evasion
Link:
https://tria.ge/reports/200831-754eft1gxs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
UPX packed file
NanoCore
Malware Config
C2 Extraction:
185.140.53.178:1985
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fddbfcd2f4497ffd75f9f1be1619ba4cf5a5ca99df6eb888216e2e0f2bec7990

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj 3aa5722aea8ef83c6f9b5c24df5821351fb46fecd31061585e91d2fecdc15082

NanoCore

Executable exe fddbfcd2f4497ffd75f9f1be1619ba4cf5a5ca99df6eb888216e2e0f2bec7990

(this sample)

  
Dropped by
MD5 18adf54b6a47b6e3e8cb3a8bd8d9848a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53345/
  
Dropped by
SHA256 3aa5722aea8ef83c6f9b5c24df5821351fb46fecd31061585e91d2fecdc15082

Comments