MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b06541ad523a8ab5fa42a7260a51e1b61b18b5c33528db6aa30b7a777231004. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b06541ad523a8ab5fa42a7260a51e1b61b18b5c33528db6aa30b7a777231004
SHA3-384 hash: aae57ff1aad12ce09c84a55ca667a96b5df88cdacb28591905e8bdc97a1e7b3127dc60f3ca8cc3550965537f64461437
SHA1 hash: 5fd9e9262c067e94598d4a4e429e3eab07aefee7
MD5 hash: c917e89878c7f2c91ebc7caaa426bf39
humanhash: oranges-india-high-skylark
File name:c917e89878c7f2c91ebc7caaa426bf39.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:795'136 bytes
First seen:2020-07-20 11:08:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 947a363cee796918c4dd5f0352950426 (5 x AgentTesla, 5 x Loki, 5 x MassLogger)
ssdeep 12288:ipxEDrQY5EvoFzhlmTS1i4jkkg52CKRC8fZ9G+Y7oZU/YjuOgFQVZvhrw:ya8voVOIObYfZocZUtOgFGvy
Threatray 2'636 similar samples on MalwareBazaar
TLSH 4A05B026F2E04877C1771A7C4D1B66A8A836BE003E2C9D766FE75C4CDF3A64034A5297
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
NanoCore RAT C2:
snup2020.ddns.net:1996 (45.143.222.167)

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28978/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391403
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248091 Sample: MeHJPDFaaI.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 111 snup2020.ddns.net 2->111 123 Found malware configuration 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Multi AV Scanner detection for dropped file 2->127 129 11 other signatures 2->129 15 MeHJPDFaaI.exe 2->15         started        18 wpasv.exe 2->18         started        20 wscript.exe 2->20         started        22 2 other processes 2->22 signatures3 process4 signatures5 157 Writes to foreign memory regions 15->157 159 Allocates memory in foreign processes 15->159 161 Queues an APC in another process (thread injection) 15->161 163 Contains functionality to detect sleep reduction / modifications 15->163 24 notepad.exe 5 15->24         started        28 notepad.exe 2 18->28         started        30 dyeuiwo.exe 20->30         started        165 Maps a DLL or memory area into another process 22->165 32 dyeuiwo.exe 3 22->32         started        34 dyeuiwo.exe 22->34         started        process6 file7 103 C:\Users\user\AppData\Roaming\...\dyeuiwo.exe, PE32 24->103 dropped 105 C:\Users\user\...\dyeuiwo.exe:Zone.Identifier, ASCII 24->105 dropped 147 Creates files in alternative data streams (ADS) 24->147 149 Drops VBS files to the startup folder 24->149 36 dyeuiwo.exe 24->36         started        39 dyeuiwo.exe 24->39         started        41 dyeuiwo.exe 28->41         started        151 Maps a DLL or memory area into another process 30->151 43 dyeuiwo.exe 30->43         started        45 dyeuiwo.exe 30->45         started        107 C:\Users\user\AppData\...\dyeuiwo.exe.log, ASCII 32->107 dropped signatures8 process9 signatures10 131 Multi AV Scanner detection for dropped file 36->131 133 Detected unpacking (changes PE section rights) 36->133 135 Detected unpacking (creates a PE file in dynamic memory) 36->135 139 3 other signatures 36->139 47 dyeuiwo.exe 1 15 36->47         started        52 dyeuiwo.exe 36->52         started        137 Maps a DLL or memory area into another process 39->137 54 dyeuiwo.exe 39->54         started        56 dyeuiwo.exe 39->56         started        58 dyeuiwo.exe 41->58         started        60 dyeuiwo.exe 41->60         started        62 dyeuiwo.exe 43->62         started        process11 dnsIp12 113 snup2020.ddns.net 47->113 115 194.5.97.22, 1996, 49721, 49722 DANILENKODE Netherlands 47->115 95 C:\Program Files (x86)\...\wpasv.exe, PE32 47->95 dropped 97 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 47->97 dropped 99 C:\Users\user\AppData\Local\...\tmp4CBB.tmp, XML 47->99 dropped 101 C:\...\wpasv.exe:Zone.Identifier, ASCII 47->101 dropped 117 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->117 64 schtasks.exe 1 47->64         started        66 schtasks.exe 1 47->66         started        68 dyeuiwo.exe 54->68         started        119 Maps a DLL or memory area into another process 62->119 121 Sample uses process hollowing technique 62->121 file13 signatures14 process15 signatures16 71 conhost.exe 64->71         started        73 dyeuiwo.exe 64->73         started        76 conhost.exe 66->76         started        141 Maps a DLL or memory area into another process 68->141 143 Sample uses process hollowing technique 68->143 process17 signatures18 78 notepad.exe 71->78         started        153 Maps a DLL or memory area into another process 73->153 81 dyeuiwo.exe 73->81         started        83 dyeuiwo.exe 73->83         started        process19 file20 109 C:\Users\user\AppData\Roaming\...\win.vbs, ASCII 78->109 dropped 85 dyeuiwo.exe 78->85         started        process21 signatures22 145 Maps a DLL or memory area into another process 85->145 88 dyeuiwo.exe 85->88         started        90 dyeuiwo.exe 85->90         started        process23 process24 92 dyeuiwo.exe 88->92         started        signatures25 155 Maps a DLL or memory area into another process 92->155
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1b06541ad523a8ab5fa42a7260a51e1b61b18b5c33528db6aa30b7a777231004/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 11:10:08 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmdfigwveoukwx5efjzgbji6dnq3dc24gnji3nvkgc32o5zdcaca._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
06cd18b13e77f513e826da358a65d6f61b05769ce830c8fb9d15b916c672ea61
NanoCore
3874eba497e0b61949d0772430ce1df420e28777dba850a6033295212e9de9c5
NanoCore
5901a8e4a36574b8ca6cb3c899e64cdfc27395de606cd4a512431e6dd827196f
NanoCore
5e4da067908b56292fc2595a72378a091feccd8090b6ba186db4287c94a68680
NanoCore
7259675aad35bed593ec88a0f96263e182eaac06043f25df3362eb29186d2cd1
NanoCore
a97663c4fdf7f3cdf524888ec2952bb015e77484d50627e185e67c8846bd8660
NanoCore
c4284c413395930a3ca9561d55045bb40c5d14d8c70e44f4f7a9b944ef34935c
NanoCore
c885429e131f2a8913a92af0d9fe3eae982fabf383789821f7db2b54eb235d8a
NanoCore
cc829675a0e11138d47b42b5c19e45403d7d73731aac0c97ca8b2a0e37a960f8
NanoCore
ff5fb544251818945ba7b14fb0602d71188133caf7742871318291c91b474013
NanoCore
+ 2'626 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200720-yv9dl5469s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
NTFS ADS
Creates scheduled task(s)
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Drops startup file
UPX packed file
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
snup2020.ddns.net:1996
194.5.97.22:1996
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b06541ad523a8ab5fa42a7260a51e1b61b18b5c33528db6aa30b7a777231004

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 1b06541ad523a8ab5fa42a7260a51e1b61b18b5c33528db6aa30b7a777231004

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/410917/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28978/

Comments