MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 036c0fbb1ffb23e9bfd4b4834a396d79ec319078865adf3ef75418450cf9fd18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 036c0fbb1ffb23e9bfd4b4834a396d79ec319078865adf3ef75418450cf9fd18
SHA3-384 hash: 60b7b6f68670f22b460cc16fffb36377d4521ebeb3b3e107de411cb8f601f5cffd3f9f9a0697be12ed7439b7c4a7723d
SHA1 hash: 75e1de41455af91eaa3673be61e155d2fb9d7f63
MD5 hash: 5a8d6faf7b662fe37606a171a2b6bc11
humanhash: william-eight-arizona-video
File name:VttVY345MqorZD6.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:615'424 bytes
First seen:2020-08-28 05:49:40 UTC
Last seen:2020-08-28 07:04:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:1R9mmIIr0eUYzUwDLY2WoTumoq/fSlERTOLaQEf:1R9mmBv/dohQb02H
Threatray 1'094 similar samples on MalwareBazaar
TLSH 15D422015B9DC385ECED1BB0103FBD542BB3BE1AEA35E711A89771AB2673781847160E
Reporter abuse_ch
Tags:exe Hostwinds NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: hwsrv-762625.hostwindsdns.com
Sending IP: 104.168.242.71
From: sales@warehouse7.gr
Subject: Re:Fwd: Revised Order #19300
Attachment: RE Revised Order 19300.r00 (contains "VttVY345MqorZD6.exe")

NanoCore RAT C2:
hampowell.ddns.net

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/52169/
Detection(s):
SecuriteInfo.com.Fareit-FYV5A8D6FAF7B66.10745.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
DNS request
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/453205
Signature
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 278972 Sample: VttVY345MqorZD6.exe Startdate: 28/08/2020 Architecture: WINDOWS Score: 100 44 hampowell.ddns.net 2->44 46 cdn.onenote.net 2->46 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 13 other signatures 2->60 9 VttVY345MqorZD6.exe 7 2->9         started        13 VttVY345MqorZD6.exe 4 2->13         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\miHXHGdXLggCgr.exe, PE32 9->36 dropped 38 C:\...\miHXHGdXLggCgr.exe:Zone.Identifier, ASCII 9->38 dropped 40 C:\Users\user\AppData\Local\...\tmpFE3D.tmp, XML 9->40 dropped 42 C:\Users\user\...\VttVY345MqorZD6.exe.log, ASCII 9->42 dropped 62 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->62 15 VttVY345MqorZD6.exe 8 9->15         started        20 schtasks.exe 1 9->20         started        22 schtasks.exe 1 13->22         started        24 VttVY345MqorZD6.exe 2 13->24         started        signatures6 process7 dnsIp8 48 hampowell.ddns.net 185.140.53.11, 1777, 49731, 49732 DAVID_CRAIGGG Sweden 15->48 50 192.168.2.1 unknown unknown 15->50 34 C:\Users\user\AppData\Roaming\...\run.dat, data 15->34 dropped 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->52 26 schtasks.exe 1 15->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file9 signatures10 process11 process12 32 conhost.exe 26->32         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/036c0fbb1ffb23e9bfd4b4834a396d79ec319078865adf3ef75418450cf9fd18/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-28 05:51:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=anwa7oy77mr6tp6uwsbuuolnphwddedyqznn6pxxkqmekdhz7uma._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
234b2c300af5e4ac2001332e07c2e54bd48dac174cf8b5d0c486a3cc6076043c
NanoCore
4ab00875960cf2aace6c95e245327e7c27ba9cde509afd927ace70756a40c0c8
NanoCore
50cbc0b693b4204caf169db073592dc53b8b1c21b9e71a640ee79692918cdcef
NanoCore
5eb03557bea836689fd85bc82912388cce5771e2f85696c82357462534c1d3c6
NanoCore
72ceeee6538d869e032d33c4cac0b1e51f34b9e32bf1e17f475b5609ddfe0bf8
NanoCore
a2938e6462b02115d0579cb8a4294626eb792a781b68175844a5fb26ae6de0b6
NanoCore
bd6650220b7fa539c937c4008df96914a86b1cbaa0098588a9b4ec0175f0c679
NanoCore
c581c0cb91f2bc8e043a9132e704adb5c36147bb4d1a60676bdeb0c8d3686beb
NanoCore
dfe001ed1950d612ea59a75c6367629ff0e031853e9f7a12b7f0381a4f20660f
NanoCore
fafa7913ac9ff3330896a63b8db3d8e8f88e35a10de8a96dafa570ed29b537d6
NanoCore
+ 1'084 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200828-j4plgp4r7s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
hampowell.ddns.net:1777
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/036c0fbb1ffb23e9bfd4b4834a396d79ec319078865adf3ef75418450cf9fd18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

r00 28cb45eb46292a33db4c473dae91d7e54be66016a7bebebc16c254b66cbcd2b1

NanoCore

Executable exe 036c0fbb1ffb23e9bfd4b4834a396d79ec319078865adf3ef75418450cf9fd18

(this sample)

  
Dropped by
MD5 bde51fb914cee7e20aefa4004bf1a3b3
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 28cb45eb46292a33db4c473dae91d7e54be66016a7bebebc16c254b66cbcd2b1
Cape
Cape
https://www.capesandbox.com/analysis/52169/

Comments