MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06d720fb36d32c1b3ce7fea9bb50eb90c2e1d90b270c1f21658c1035344a4c4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06d720fb36d32c1b3ce7fea9bb50eb90c2e1d90b270c1f21658c1035344a4c4b
SHA3-384 hash: b60cda5ac43c563df15705343bf0c0bb7c0197d2c3e6a7438d0f4a04e35bef0ffa900fa72a2b554721e9697780be1b9f
SHA1 hash: 96927bdaa396d799e8ed811a036f198402236356
MD5 hash: 7678edc1e5582b296f94faf7fa23a20d
humanhash: table-burger-two-quebec
File name:819827736_Invoice_Confirmation.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:385'024 bytes
First seen:2020-07-28 15:44:29 UTC
Last seen:2020-07-28 16:54:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:mqebfTUN0lARdYGUVGidodweFbIoGu4Uhc7HQpbUibg8EE:mqyHlA4rGiKqumUhSHe
Threatray 1'310 similar samples on MalwareBazaar
TLSH EF84BF815B5EC294C60D86BEC8745DFA037BAC8ADC5FF7533368BE343A722909519B09
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
NanoCore RAT C2:
samnewagain.duckdns.org:9090 (185.165.153.33)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-AT2
country: AT
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-14T13:31:45Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33870/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.62746.14366.25857.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Connection attempt
Forced shutdown of a system process
Enabling autorun with Startup directory
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/400682
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Uses dynamic DNS services
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252662 Sample: 819827736_Invoice_Confirmat... Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 69 samnewagain.duckdns.org 2->69 71 g.msn.com 2->71 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for dropped file 2->85 87 12 other signatures 2->87 12 819827736_Invoice_Confirmation.exe 2 2->12         started        signatures3 process4 file5 67 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 12->67 dropped 93 Drops PE files to the startup folder 12->93 95 Maps a DLL or memory area into another process 12->95 16 819827736_Invoice_Confirmation.exe 12->16         started        19 RegAsm.exe 6 12->19         started        signatures6 process7 dnsIp8 75 Maps a DLL or memory area into another process 16->75 23 819827736_Invoice_Confirmation.exe 16->23         started        26 RegAsm.exe 16->26         started        28 RegAsm.exe 3 16->28         started        73 samnewagain.duckdns.org 185.165.153.33, 49731, 49732, 49736 DAVID_CRAIGGG Netherlands 19->73 65 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->65 dropped 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->77 file9 signatures10 process11 signatures12 89 Maps a DLL or memory area into another process 23->89 30 819827736_Invoice_Confirmation.exe 23->30         started        33 RegAsm.exe 2 23->33         started        35 819827736_Invoice_Confirmation.exe 26->35         started        37 RegAsm.exe 26->37         started        process13 signatures14 39 819827736_Invoice_Confirmation.exe 30->39         started        42 RegAsm.exe 2 30->42         started        97 Maps a DLL or memory area into another process 35->97 44 819827736_Invoice_Confirmation.exe 35->44         started        46 RegAsm.exe 35->46         started        48 RegAsm.exe 35->48         started        process15 signatures16 50 819827736_Invoice_Confirmation.exe 39->50         started        53 RegAsm.exe 39->53         started        91 Maps a DLL or memory area into another process 44->91 55 819827736_Invoice_Confirmation.exe 44->55         started        57 RegAsm.exe 44->57         started        59 RegAsm.exe 44->59         started        process17 signatures18 79 Maps a DLL or memory area into another process 55->79 61 RegAsm.exe 55->61         started        63 819827736_Invoice_Confirmation.exe 55->63         started        process19
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/06d720fb36d32c1b3ce7fea9bb50eb90c2e1d90b270c1f21658c1035344a4c4b/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 15:46:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a3lsb6zw2mwbwphh72u3wuhlsdbodwile4gb6ilfrqidknckjrfq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
013e28fb236b074fae60d3252c602924a886ad4c311310dbb19f85ba1c5e2425
NanoCore
062cf3944b0b563efc115688ff8910721db670950acf80c0020351b7d97b48c5
NanoCore
266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34
NanoCore
34f1b02bdccebe61deb518957acd32c9a64ce358102db3be15ed7d46f9945004
NanoCore
7926f37cb45c730b9fa347b9e605d1b8e6a055b97f335bf8f1ea99e953fc94da
NanoCore
99c574b7d4be75a2323c02a53b378b067359be1adf925e5a17414226bd42ddbe
NanoCore
b021142c3c9575a16eb787ba56f17e01925370db0b3d24afa41145b83f8f094f
NanoCore
c21ee6cfa09a79362a7f3b03781a7f252d10b41da48dea433e06fe4a0df26eee
NanoCore
c660d1d93adc735a9a5c59d18eecf6c4124b4e32b3a704bb754e490a2bf5eb35
NanoCore
d0a9cde7ebed2daf4306e0e76a341e6c4293bf9904ed464f5bfcb462dc0999d0
NanoCore
+ 1'300 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore evasion
Link:
https://tria.ge/reports/200728-g7y64h168e/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
NanoCore
Malware Config
C2 Extraction:
samnewagain.duckdns.org:9090
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06d720fb36d32c1b3ce7fea9bb50eb90c2e1d90b270c1f21658c1035344a4c4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 06d720fb36d32c1b3ce7fea9bb50eb90c2e1d90b270c1f21658c1035344a4c4b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33870/

Comments