MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38181c48e9eb624b259664be09541e3f2717675df2d21612fb4ae1c9a75f0dfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	38181c48e9eb624b259664be09541e3f2717675df2d21612fb4ae1c9a75f0dfc
SHA3-384 hash:	1d34eddaa8a78b3122cf085e724206a9486caca0cab5a54281dc1bef466b050c44944c16fbccd2a5c8bcbab3d8e94539
SHA1 hash:	8a7b0e3260846a2a74cb8a738280bfb0293aa9c8
MD5 hash:	eb0839c4f9fef78fefcaeb0ef0227390
humanhash:	hotel-beryllium-cup-mockingbird
File name:	Order_inquiry,pdf.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	410'422 bytes
First seen:	2021-03-01 13:08:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep	6144:m9X0GxiVFI8Es5eKtsZ/Tlg0dfARFd2lGbxdZIBEX+ZvccB3I8o/ZFBX:I0do8EsgKtsNS0oD7UG+ZheBX
Threatray	2'227 similar samples on MalwareBazaar
TLSH	EC94AD82B8484899FD6637B544374E3432AF6ED62636D70F13973B761FB32A2141BA07
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: mail.suministroscarmelo.com
Sending IP: 146.255.103.156
From: Fahri TURAN <banu@venbatech.com>
Subject: Quotation for Order
Attachment: Order_inquiry,pdf.iso (contains "Order_inquiry,pdf.exe")

NanoCore RAT C2:
gracious2021.ddns.net:3734 (194.5.98.25)

Pointing to nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.98.0 - 194.5.98.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-NO
country: NO
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-04-26T16:42:54Z
last-modified: 2020-10-07T21:35:29Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Order_inquiry,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-03-01 15:35:57 UTC

Tags:

rat nanocore

Link:

https://app.any.run/tasks/350fcd06-964f-4972-afda-e42612c1a1ad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/120245/

Detection(s):

PUA.Win.Downloader.Soft32downloader-6691270-0

Result

Verdict:

Clean

Maliciousness:

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/622472

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Detected Nanocore Rat

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/38181c48e9eb624b259664be09541e3f2717675df2d21612fb4ae1c9a75f0dfc/

Threat name:

Win32.Trojan.SpyNoon

Status:

Malicious

First seen:

2021-03-01 13:09:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 48 (52.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hambyshj5nrewjmwms7asva6h4troz256ljbmex3jlq4tj27bx6a._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

1c55b3c97920d56dddbc38e6ba3c5dcbc7f3072792915b51e146b3dd92b3f392

NanoCore

4b13202d3051cdb4a77aea1f199b80e923c6071dc064246ae518a4ca57091965

NanoCore

52b5f2f95b1200b20a6f3adfcb93c6f87713155f83176dede353ee158c7c1b63

NanoCore

5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4

NanoCore

9da4dcbaeacef69514b7576eb1a9af401d3dfd354a2d12e9a0e7b8b7e4db2703

NanoCore

b082aa828dd2eb42d6e1de8ccd8573ac3096ceee92ad26449fc1df6e490ff4ed

NanoCore

d64a4482514be4bb53344b4712d850bb5ad28bd589a5cf3f4d2d966d2ea9ef65

NanoCore

ddaaa650d42caaed5ddd7c307b986cdccfc25bcb84c7a4f29f9fddd26add4135

NanoCore

fe437d43f7133fadd1f6737840d626ba30d61eb8e983072b16175dccd7f011c1

NanoCore

+ 2'217 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210301-jg5sag4r1j/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Loads dropped DLL

NanoCore

Malware Config

C2 Extraction:

gracious2021.ddns.net:3734

Unpacked files

SH256 hash:

38181c48e9eb624b259664be09541e3f2717675df2d21612fb4ae1c9a75f0dfc

MD5 hash:

eb0839c4f9fef78fefcaeb0ef0227390

SHA1 hash:

8a7b0e3260846a2a74cb8a738280bfb0293aa9c8

Link:

https://www.unpac.me/results/f92d1515-e697-4549-bfb1-b73b68c9e4bb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Eldorado

Score:

0.72

Link:

https://yomi.yoroi.company/submissions/38181c48e9eb624b259664be09541e3f2717675df2d21612fb4ae1c9a75f0dfc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	adonunix Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/