MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01956570f3d4747162a5b0c381bd39c843ac0a50c9355cecc621cfe9ae10a6df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	01956570f3d4747162a5b0c381bd39c843ac0a50c9355cecc621cfe9ae10a6df
SHA3-384 hash:	19dba2391da3b5999e8f1a1f599ad42807394ef58b2c5b1f1cde2f5ff4fb1094bb507532754de41e8ab185daccb8f673
SHA1 hash:	c0a6e4ed8e34862e349e54c8fc6a66f0b8764a11
MD5 hash:	2335d79d0c434c0036d8569d711b7b31
humanhash:	oklahoma-lima-wolfram-apart
File name:	PDF-PAYMENT-SLIP-SBIN0017313-PDF.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	511'488 bytes
First seen:	2020-06-29 06:32:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:iWrENJ8agyCHAPyhsnwl5feEJ6SOq2rZpZssMMZyvhxewACrLYJzE5zMobADS2Y1:AJ8agCOsnwiEwTsNMZoeBeYtClYS
Threatray	1'205 similar samples on MalwareBazaar
TLSH	FAB4155A2E60CB47F47502F074705E1217B22956E623E236D883A0BFE8377BA3977257
Reporter	abuse_ch
Tags:	CHN exe geo NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: oceanleadership.org
Sending IP: 37.49.224.193
From: sf express < ers@oceanleadership.org >
Subject: 尊敬的顺丰速运客户：您好 victim-email
Attachment: PDF-PAYMENT-SLIP-SBIN0017313-PDF.exe

NanoCore RAT C2:
79.134.225.77:5355

Hosted on nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/15394/

Detection(s):

SecuriteInfo.com.Fareit-FVR97B1CDB35EA0.28661.UNOFFICIAL

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/01956570f3d4747162a5b0c381bd39c843ac0a50c9355cecc621cfe9ae10a6df/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-29 03:22:58 UTC

AV detection:

24 of 31 (77.42%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=agkwk4ht2r2hcyvfwdbydpjzzbb2ycsqze2vz3ggehh6tlqqu3pq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

2d8d0993509c9bf761ec73c65be5dd1c03a416f56dd76973851920deaf9bad76

NanoCore

4192b46f43ae6f482490aa98fbd0690ff4974c677463c73a4230eaa70106b791

NanoCore

5e9feced3d478c821c45e4378ee06f31ab670b7b3fa23e29d75f9f6b46d41df1

NanoCore

6314fa268e933bd1c708c785212078a767c4ea0c602357002171f8b014d29989

NanoCore

6cd7b1c8e3b06ac38919582b023c8204f07277d17b612a98ddb0cc574e2aa991

NanoCore

6ece00da69537d12d933cfc710ef0be2f76ee8d39c111ba1726bd47c8fb8acb1

NanoCore

972b4efd2dda4526a8cd4e508a1b62890e1c082380e458555dd1671045327ef9

NanoCore

bffcfa5a0174337b9a565e7880819ec3388eed4dd15a6076e4f99be4ec5d5f19

NanoCore

d86b5f7fffdf4b871b5487b02de0366b3edbd96a75f86a0f57a602796a8136da

NanoCore

+ 1'195 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore persistence

Link:

https://tria.ge/reports/200629-rare1rrvr2/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run entry to start application

NanoCore

Malware Config

C2 Extraction:

79.134.225.77:5355

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

exe 01956570f3d4747162a5b0c381bd39c843ac0a50c9355cecc621cfe9ae10a6df

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/15394/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample