MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f6b100b68c412b9a6c4289ce2e387bc13805bc9cc46141c3bf2bf497cff3649. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f6b100b68c412b9a6c4289ce2e387bc13805bc9cc46141c3bf2bf497cff3649
SHA3-384 hash: 9999669654eff6257b97f1c38f9e3d01517a05850913dd37097199e74b9c344a60460d87f4315a87d928373c995dbf21
SHA1 hash: 9af37bad68605a67a805847498f725d83ee39531
MD5 hash: 35e252d3d45b4b168cb632d287263ee6
humanhash: item-vermont-march-seventeen
File name:Orden CW62125Q, pdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:937'984 bytes
First seen:2020-10-23 13:54:04 UTC
Last seen:2020-10-23 14:59:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:SbDAjyNEk6Ja0ryQPIqTLk+pAMgDLzHyu:SYjyNEk6JaKpApDS
Threatray 1'226 similar samples on MalwareBazaar
TLSH 2E15DF1293A85F54F1BE87386474415063F97C16A327E2ADBED070DE1CB2B828766F27
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: mail.nipponcarsrl.com.ar
Sending IP: 200.114.86.103
From: María López <info@adelca.com>
Subject: Orden CW62125Q
Attachment: Orden CW62125Q, pdf.xz (contains "Orden CW62125Q, pdf.exe")

NanoCore RAT C2:
graceland777.ddns.net:7771 (185.244.30.199)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-HU
country: HU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-10-07T21:39:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/75071/
Detection(s):
SecuriteInfo.com.Artemis35E252D3D45B.11376.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
NanoCore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508172
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f6b100b68c412b9a6c4289ce2e387bc13805bc9cc46141c3bf2bf497cff3649/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 13:11:20 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d5vrac3iyqjltjwefcoofy4hxqjyaw6jzrdbihb36k7us7h7gzeq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236
NanoCore
564d8ca154a08dbbe3af33d3ec5b5345c31fa8a56d536f9b22063c99db8455d7
NanoCore
6bc296fc9ae6bdb27ca23398f69bfb7b44d69734ff0e03a3322fdf688117e2f5
NanoCore
911f22d0fdceeec6e8e6426b0111c1632e6b70f21940584aa05345ac470c4c4f
NanoCore
9e184fecd3e0be67e11c78d407fe8e1f5f75573b32801bf00055745ef3c86225
NanoCore
c3c62460fce1e7c6964339da00bc229e02872c21de66a35c3aba8592ef7a8872
NanoCore
cc15e8a9e04355389815d8a7be4c34746c87a2a9d672e426c01b00ad0a583069
NanoCore
d8e49c2f12a39f106cc3449ec923265bb5cd10d8b67cc58f45719c9ed4b666f1
NanoCore
d9503dc6cff1393c176eb25789982c93cd5055f27934c43e57154c642d2ea5d4
NanoCore
f535414d7bdcacff5db6ba209be888ebcd7996b1602a3b78a574b72d03cca147
NanoCore
+ 1'216 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/201023-m5sw4ynrb6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
NanoCore
Malware Config
C2 Extraction:
graceland777.ddns.net:7771
Unpacked files
SH256 hash:
1f6b100b68c412b9a6c4289ce2e387bc13805bc9cc46141c3bf2bf497cff3649
MD5 hash:
35e252d3d45b4b168cb632d287263ee6
SHA1 hash:
9af37bad68605a67a805847498f725d83ee39531
Link:
https://www.unpac.me/results/94aa6545-10bc-486c-8d9f-d221c549ddb6/
SH256 hash:
c70fd4f3793e6175103fd5ca00ddc7152f66a5c7a479e6206b014b289ce7d068
MD5 hash:
b30d2b96e950f7677b7d262b13e50159
SHA1 hash:
18e931cdf90754dad1ca68f7b07c9ccfbed0ce4f
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/94aa6545-10bc-486c-8d9f-d221c549ddb6/
Parent samples :
1f6b100b68c412b9a6c4289ce2e387bc13805bc9cc46141c3bf2bf497cff3649
42ec63d168aa68fc1408ef49e73fc9e0d70beec8add97cc2540a30ece7ca85ef
438c02be74a4976a426c2b0e5da2d37f04772782e59739ce2acc79e9dc780ca1
SH256 hash:
16cd24194beab4c92aede2923a2824da3d5906a1ff510bb4f2e7e54028c54681
MD5 hash:
6195006ce5cc06514faf4f3fe7805ca9
SHA1 hash:
8e8eef6c025c935c9ee907b57dd754795e00a0e5
Link:
https://www.unpac.me/results/94aa6545-10bc-486c-8d9f-d221c549ddb6/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/94aa6545-10bc-486c-8d9f-d221c549ddb6/
SH256 hash:
108ea52d907f02cf5a0f73ff151f99e4432745ffa70ef0da4be50608355d7ce2
MD5 hash:
a3b3e1460fd49014df826ca26510da99
SHA1 hash:
f78b3b4aa0baadd609e49a6cbbe822107e779fdd
Link:
https://www.unpac.me/results/94aa6545-10bc-486c-8d9f-d221c549ddb6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Noancooe
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f6b100b68c412b9a6c4289ce2e387bc13805bc9cc46141c3bf2bf497cff3649

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

df32b5bcf954cd63c2da837468c47299

NanoCore

Executable exe 1f6b100b68c412b9a6c4289ce2e387bc13805bc9cc46141c3bf2bf497cff3649

(this sample)

  
Dropped by
MD5 df32b5bcf954cd63c2da837468c47299
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75071/

Comments