MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d66e25ef6e9edfefee476cc8d967809bfebe8f5751c641b13bcdb99b768b754. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	2d66e25ef6e9edfefee476cc8d967809bfebe8f5751c641b13bcdb99b768b754
SHA3-384 hash:	e698cdb0bbe5ee0807401153294f32debdc4094095c67763906792866f9b0d2c2bf67eaf33071eff6ce1f31481177576
SHA1 hash:	3d0bfae4371c70659869e9911c0e55052d61fa0c
MD5 hash:	65ed5babc4fae254eb765daf211ca416
humanhash:	xray-skylark-hotel-speaker
File name:	65ed5babc4fae254eb765daf211ca416.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'243'648 bytes
First seen:	2020-12-09 10:14:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	24576:dsLRRAGlEDgndMtnhEyY4YoAc5nJf3Xp72ugafC:YRhlEJphEY1TnJf3Xp7TC
Threatray	1'406 similar samples on MalwareBazaar
TLSH	1C45BF355FA8163AF57BAB3CC5B02441A7EE7B937713C96C29B501C90723A42DAE1339
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

NanoCore RAT C2:
vremenew.ddns.net:83 (79.134.225.12)

Pointing to nVpn:

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

169

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http://198.12.125.17/new.exe

Verdict:

Malicious activity

Analysis date:

2020-12-09 12:30:21 UTC

Tags:

loader rat nanocore

Link:

https://app.any.run/tasks/eb188014-44f7-44e0-bcf6-c4452c5fcb0a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/107399/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.tc.28444.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Nanocore AveMaria MailPassView

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/558812

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Detected Nanocore Rat

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Uses dynamic DNS services

Yara detected AntiVM_3

Yara detected AveMaria stealer

Yara detected MailPassView

Yara detected Nanocore RAT

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2d66e25ef6e9edfefee476cc8d967809bfebe8f5751c641b13bcdb99b768b754/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-09 10:15:08 UTC

AV detection:

30 of 48 (62.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fvtoexxw5hw757xeo3gi3ftybg76x2hvouogigytxtnztn3iw5ka._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

42ea844a6aeb6c01de060355e8333242f71553498514ca1bf7d4af32bb90803e

NanoCore

47f2e01332f2352960848114607310d9bb23caff5a8de7d67f9e2ed7fc6944b9

NanoCore

50f76b94939c88cbaec0cba4f365b82c2cc6a910196b025f3fbf65b6a4c476bb

NanoCore

5b6756a73d090b80c41d33d5de5ade286cfb3d5fe6a2efac8266a98c3fd0de22

NanoCore

6fdc8ad458c5b60a15774baef1acff96af05216b279754c5188c63ee542a82fe

NanoCore

732af876d4a5f421064389d615971a380c530252032d40651f058dde13798693

NanoCore

b7000ac571c057d5eeed8c6cc904674b067ddd0a5a9cd6843669efe0667baa17

NanoCore

c3aee1fdb1ad07ad47d1d99fad5c228d6116ffc2289273b30dd60ce81746e607

NanoCore

d9b101865845e0f306ea5a614ae9b1e1da8f674e5102ddfb7a5a6385d1cd70f7

NanoCore

+ 1'396 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201209-zazvb7fr7e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

Reads user/profile data of web browsers

Uses the VBS compiler for execution

NanoCore

Malware Config

C2 Extraction:

vremenew.ddns.net:83
79.134.225.12:83

Unpacked files

SH256 hash:

9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f

MD5 hash:

7476e403eef14ac403c63c7279831780

SHA1 hash:

8387f558e30dc115987ac2b5c174a41302471abf

Link:

https://www.unpac.me/results/3f9764ad-183f-4345-9fd4-23f784e4592b/

SH256 hash:

2d66e25ef6e9edfefee476cc8d967809bfebe8f5751c641b13bcdb99b768b754

MD5 hash:

65ed5babc4fae254eb765daf211ca416

SHA1 hash:

3d0bfae4371c70659869e9911c0e55052d61fa0c

Link:

https://www.unpac.me/results/3f9764ad-183f-4345-9fd4-23f784e4592b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Nanocore

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2d66e25ef6e9edfefee476cc8d967809bfebe8f5751c641b13bcdb99b768b754

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/