MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08b5840287d51dd47c2458f778673d7497c0bc8bd3a479bd28edead49815153f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08b5840287d51dd47c2458f778673d7497c0bc8bd3a479bd28edead49815153f
SHA3-384 hash: 9d8f7cb8b4bc1b56583d660c1d3b51352896859f27ede45c17bbb4c026b80d5d52191415caf6f19169e4dcac20393869
SHA1 hash: 48bc1bdbc578f45c029ee37cfe75878066fb878d
MD5 hash: a52b204f98dab80d432a6fef715bbd8a
humanhash: nuts-october-stairway-helium
File name:order list.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:783'360 bytes
First seen:2020-11-05 15:33:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:xliCABHYj6rScaCMFjNKdmC8QMixV33tzh5Cp4Gm/6GchFniuiYZ6CO2JmFKFjZl:xlUBHIVFjNLCSiuiOJO24+jZ/CsY/Uqv
Threatray 1'220 similar samples on MalwareBazaar
TLSH 71F4AD9C321472EEC857D072DA682E74FA6075BB931F4203A42755ADEE4D88BDF244F2
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: takpay.org
Sending IP: 78.47.79.6
From: Jose Landeros <no-reply@takpay.org>
Subject: New Order List
Attachment: order list.arj (contains "order list.exe")

NanoCore RAT C2:
79.134.225.120:1974

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83300/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521672
Signature
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309935 Sample: order list.exe Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 17 other signatures 2->50 7 order list.exe 7 2->7         started        11 dhcpmon.exe 5 2->11         started        process3 file4 28 C:\Users\user\AppData\Roaming\VSsgstiB.exe, PE32 7->28 dropped 30 C:\Users\...\VSsgstiB.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\Users\user\AppData\Local\...\tmp7CDD.tmp, XML 7->32 dropped 34 C:\Users\user\AppData\...\order list.exe.log, ASCII 7->34 dropped 52 Injects a PE file into a foreign processes 7->52 13 order list.exe 1 12 7->13         started        18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 11->20         started        22 dhcpmon.exe 2 11->22         started        signatures5 process6 dnsIp7 42 79.134.225.120, 1974, 49720 FINK-TELECOM-SERVICESCH Switzerland 13->42 36 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->36 dropped 38 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 13->38 dropped 40 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->40 dropped 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->54 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08b5840287d51dd47c2458f778673d7497c0bc8bd3a479bd28edead49815153f/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 13:15:06 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bc2yiauh2uo5i7beld3xqzz5osl4bpel2oshtpji5xvnjgavcu7q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0bd23f7c9dce69a94544e24f503955a0fda75586b8da539e89717ee9c5271f96
NanoCore
1d41e76da681ad17d46ff9a1fb6f59afb00a8e96df9f2adf42634f05849e6fd2
NanoCore
22221b72f894bb076ead64d8e6c09daf40692586a2b9f3409d91ae72c0a001ee
NanoCore
3ef73be1c506a00042d72dbef0379db91ddccfc11485688505f043e20f8442de
NanoCore
6cef6b24f9c34ef5503ed6ba52ded7847882e7599bd39954ff9d3409042eeb74
NanoCore
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
NanoCore
7bd7382e7c7adb412c92a59fba2d12aa6dd4a6dbe50a1115df58979c7e172192
NanoCore
865fff19abc468662ae77ea3d5613004b4b22ec22dfb7dd62d5ebb881bb87df3
NanoCore
93bf34f3e42fb55786de7c65c2aa7f8340194e12708170e7f9a0bf0c42c2a72f
NanoCore
d2d355ef39f411f81c87e1c3e6feef02a0dccacf3cc37aa583e97ab9403e2ee8
NanoCore
+ 1'210 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201105-bmtxngfwdx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NanoCore
Malware Config
C2 Extraction:
79.134.225.120:1974
127.0.0.1:1974
Unpacked files
SH256 hash:
08b5840287d51dd47c2458f778673d7497c0bc8bd3a479bd28edead49815153f
MD5 hash:
a52b204f98dab80d432a6fef715bbd8a
SHA1 hash:
48bc1bdbc578f45c029ee37cfe75878066fb878d
Link:
https://www.unpac.me/results/b22a9160-64a7-4f6c-af13-9a7016c75810/
SH256 hash:
b9cea53410059bbcfa373871bde6cc8154f6a9402fa0451490ff131780121a7c
MD5 hash:
b5ca6c72fc03d1ebc1c3245001dde6d1
SHA1 hash:
522f4331ad0085a7c99409bcacb13e0488b3c50c
Link:
https://www.unpac.me/results/b22a9160-64a7-4f6c-af13-9a7016c75810/
SH256 hash:
57be057f2bda7c48858cc90f8a491f67c4c7462f681c97a98664d06900f49e2d
MD5 hash:
bbc0d35cf55303c4f33838348c5a7d00
SHA1 hash:
7324e41da01cb2ebe5c756ea80df49b18549f341
Link:
https://www.unpac.me/results/b22a9160-64a7-4f6c-af13-9a7016c75810/
SH256 hash:
5bc3063098dac11d52a154519019c0171cc048c2537fe7ad6512fedf13c8bc91
MD5 hash:
56c9187f1f83c4766773ce07d2afc0b5
SHA1 hash:
b72ae9f0e209ffcf85d3236fbabfd708f8f1de45
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/b22a9160-64a7-4f6c-af13-9a7016c75810/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/b22a9160-64a7-4f6c-af13-9a7016c75810/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a4305026f484b8a6ea2d38a741e3299e

NanoCore

Executable exe 08b5840287d51dd47c2458f778673d7497c0bc8bd3a479bd28edead49815153f

(this sample)

  
Dropped by
MD5 a4305026f484b8a6ea2d38a741e3299e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83300/

Comments