MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16f1274d2435181f2fb7ab3ba9fe1f7e9755e9cc449de481bd5ec636b6f32d52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	16f1274d2435181f2fb7ab3ba9fe1f7e9755e9cc449de481bd5ec636b6f32d52
SHA3-384 hash:	11502da6d569c8ab48905eba8dfe2f3d48f34daf17426756dd2d39c2a4392cee21623148da6f321334b02123a4fb17ad
SHA1 hash:	0cc18c6b4b8c184258eac66194c25c58caaa7324
MD5 hash:	fd901c061ab5128e07a6af8d0c166455
humanhash:	nine-emma-hawaii-cold
File name:	Invoice8044.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'015'808 bytes
First seen:	2020-11-07 09:57:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:dhA43RF2N0xv4vnpKPBjHba/FA832Q1ROhYY+shHoRtwJq68GVnoA9Enw3jiskc4:vh3Rykvj7ad332QdeInCCIEns+sf
Threatray	1'246 similar samples on MalwareBazaar
TLSH	DF25CFF6A246E76AC40F043FF84B256183D9DF5E99F8804A57C9B11D13BC2CE65AC48B
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: mail.omunicipio.com.br
Sending IP: 179.190.96.225
From: Accounts <jotaan@omunicipioblumenau.com.br>
Subject: Invoice8044
Attachment: Invoice8044.img (contains "Invoice8044.exe")

NanoCore RAT C2:
u852121.nvpn.to:3410 (185.140.53.159)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-11-06T23:02:44Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.28393.2061.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a process with a hidden window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

NanoCore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/523726

Signature

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/16f1274d2435181f2fb7ab3ba9fe1f7e9755e9cc449de481bd5ec636b6f32d52/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-05 22:10:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c3ysotjegumb6l5xvm52t7q7p2lvl2omiso6jan5l3ddnnxtfvja._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

51874d1c039e563df3c8f2603fb84827126a826b1ad37c54035b3a12e3bd4ff6

NanoCore

8ca4a5887d8506ae275cdc9d9ba89dab07e2997435435a1f0bd111f78ad0a382

NanoCore

9b42273e757d2cd6b0861aa1a06f32f4f8e6882deaa65167e0068c38845b0cd2

NanoCore

acef7155f56a1434770c602a92ebf4945474ad85e9382df19ff5d3ffee461423

NanoCore

b505171cca5c5eefe4dd6e6ce852dd380cfc08effeef51ed1219741f2910b873

NanoCore

bcba47ff7460e3a03098516dcc1af9369b8fcc302fefaa07c57024830f57e93c

NanoCore

c7154738b60f9701a12d782145b30336a8267101c43a03eab8f8231ff094187a

NanoCore

e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0

NanoCore

e1cfca7448e28054c1e1ef3ca5ea11921d46f85c75729310d6d4f01c955a607e

NanoCore

+ 1'236 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201107-qmd94kfczn/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

NanoCore

Malware Config

C2 Extraction:

u852121.nvpn.to:3410

Unpacked files

SH256 hash:

16f1274d2435181f2fb7ab3ba9fe1f7e9755e9cc449de481bd5ec636b6f32d52

MD5 hash:

fd901c061ab5128e07a6af8d0c166455

SHA1 hash:

0cc18c6b4b8c184258eac66194c25c58caaa7324

Link:

https://www.unpac.me/results/d254b30d-f7cc-4018-89bf-4d7f2bfb60f4/

SH256 hash:

fb5e09a4b28400d62a63a5eaea3d3074f9c66719b1a6fde1eccd8f48b3aae675

MD5 hash:

4586b07d0f0fbae76de34ab75ba1dbf9

SHA1 hash:

0b295cc6634876fe421928255277bf367f81a1bf

Link:

https://www.unpac.me/results/d254b30d-f7cc-4018-89bf-4d7f2bfb60f4/

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/d254b30d-f7cc-4018-89bf-4d7f2bfb60f4/

SH256 hash:

2ed310052f74410ad1a83c84b658985cf7d67cc00a9ae61c3a5cd73ac0d677a5

MD5 hash:

71646334f969acf84e1465e6e5a6371a

SHA1 hash:

b7cb170d2c9d3d577382df81faa4b0bc7ae59453

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/d254b30d-f7cc-4018-89bf-4d7f2bfb60f4/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/