MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 007496b08a75c10d024eaa0fb68783f9a012e8f707edbd804d3268e68496d3e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 007496b08a75c10d024eaa0fb68783f9a012e8f707edbd804d3268e68496d3e6
SHA3-384 hash: 2484f295d7956df4b4668a2547c753fdd3a283bd4b39d10ce09961c6641dc5dd94113b16ced270d6b2ce3231b2a492f0
SHA1 hash: 946bcd73cac9655b6b7a25b1aa1e2236285b8360
MD5 hash: 6117c5751e03cb41fe972e1ddb622c07
humanhash: idaho-ohio-lion-summer
File name:DHL AWB TRACKING DETAILS.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:643'072 bytes
First seen:2020-08-13 11:47:47 UTC
Last seen:2020-08-13 13:22:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:A4M5d7o8JvRT903+l03++LweOxLfcjIJqZwIxmwSnRrcEvK8FBE9iX:Od7o8JvRT903+l03++LLOxjGfxmwSGEd
Threatray 1'064 similar samples on MalwareBazaar
TLSH DDD4CE5063A55577E57A7E348A32161007B7BCA76A3EC34E0B9D72CFD8307AC8A10B67
Reporter abuse_ch
Tags:DHL exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: server.redirectory-admin.com
Sending IP: 89.223.126.197
From: DHL DELIVERY SERVICE <invoice@redirectory-admin.com>
Reply-To: DHL DELIVERY SERVICE <farlight4yuanguang@yahoo.com>
Subject: COMMERCIAL INVOICE AND BILL OF LANDING... 13/08/2020
Attachment: DHL AWB TRACKING DETAILS.PDF.z (contains "DHL AWB TRACKING DETAILS.exe")

NanoCore RAT C2:
grace121.duckdns.org:8604 (185.140.53.48)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU3
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-07-28T20:56:03Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45162/
Detection(s):
SecuriteInfo.com.Variant.Bulz.47847.24516.30001.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun by creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/426100
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 265696 Sample: DHL AWB TRACKING DETAILS.exe Startdate: 14/08/2020 Architecture: WINDOWS Score: 100 68 grace121.duckdns.org 2->68 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Sigma detected: Scheduled temp file as task from temp location 2->76 78 11 other signatures 2->78 9 DHL AWB TRACKING DETAILS.exe 7 2->9         started        13 dhcpmon.exe 5 2->13         started        15 DHL AWB TRACKING DETAILS.exe 4 2->15         started        17 dhcpmon.exe 2->17         started        signatures3 process4 file5 60 C:\Users\user\AppData\...\vALlSGiaOdNtvA.exe, PE32 9->60 dropped 62 C:\...\vALlSGiaOdNtvA.exe:Zone.Identifier, ASCII 9->62 dropped 64 C:\Users\user\AppData\Local\...\tmp67C4.tmp, XML 9->64 dropped 66 C:\Users\...\DHL AWB TRACKING DETAILS.exe.log, ASCII 9->66 dropped 82 Injects a PE file into a foreign processes 9->82 19 DHL AWB TRACKING DETAILS.exe 1 12 9->19         started        24 schtasks.exe 1 9->24         started        26 schtasks.exe 13->26         started        28 dhcpmon.exe 13->28         started        30 schtasks.exe 15->30         started        32 DHL AWB TRACKING DETAILS.exe 15->32         started        34 schtasks.exe 17->34         started        36 dhcpmon.exe 17->36         started        signatures6 process7 dnsIp8 70 grace121.duckdns.org 185.140.53.48, 49707, 49708, 49709 DAVID_CRAIGGG Sweden 19->70 54 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->54 dropped 56 C:\Users\user\AppData\Roaming\...\run.dat, data 19->56 dropped 58 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->58 dropped 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->80 38 schtasks.exe 1 19->38         started        40 schtasks.exe 1 19->40         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 30->46         started        48 conhost.exe 34->48         started        file9 signatures10 process11 process12 50 conhost.exe 38->50         started        52 conhost.exe 40->52         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/007496b08a75c10d024eaa0fb68783f9a012e8f707edbd804d3268e68496d3e6/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 11:49:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ab2jnmekoxaq2asovih3nb4d7gqbf2hxa7w33acngjuonbew2pta._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
08c1ed3585826baa8e470be4c446478a895317380573ef787e53afdc264569e3
NanoCore
6306c2750ef668ad467a0f9ee9a72f40420f52e359233223a1a09a755d837b21
NanoCore
6cef6b24f9c34ef5503ed6ba52ded7847882e7599bd39954ff9d3409042eeb74
NanoCore
6eb10ca3e8026756f417b8e04510f768c28175817c73be8f21514dfb186d687f
NanoCore
7398233b8b5b0e13643fcb65b54db72b99b5d2970415ab41fcdb037a780ade7d
NanoCore
786e5ea538d875c628433d6cf45abd9559ede017b01b3fca8eb3bfc6dbc66f12
NanoCore
91966b77a6acc2fd64c773d8797a505c40ecd272ebb4b44a5757990b5e4939c5
NanoCore
cb5eb4758a41046a2f3fc084731d756aedf8ea212dc08c9bb2e6cd7f5eff6cae
NanoCore
f6418cb1cf7a9024b0a8e7f736c45f0a7e8aaa5ecd2d41241f20a56ea05ccf07
NanoCore
fe7d67f2ca207d604740c8e66d22638049ca8a0c40818ad9f1d8515d6912f16d
NanoCore
+ 1'054 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200813-pbw5pzvhfj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
grace121.duckdns.org:8604
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/007496b08a75c10d024eaa0fb68783f9a012e8f707edbd804d3268e68496d3e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:RSharedStrings
Create hunting rule
Author:Katie Kleemola
Description:identifiers for remote and gmremote
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z 6f15cd9548d898d233ae228cd3d4b651691518168a9b006f41367222dc9d7489

NanoCore

Executable exe 007496b08a75c10d024eaa0fb68783f9a012e8f707edbd804d3268e68496d3e6

(this sample)

  
Dropped by
MD5 b8a0fbddc7ebc43944fdd7a38328d2c8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45162/
  
Dropped by
SHA256 6f15cd9548d898d233ae228cd3d4b651691518168a9b006f41367222dc9d7489

Comments