MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a98a6f65a651d7fdc6b147ab1baceebcc31576fccb4ff4d7c516bcad6d7c20b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a98a6f65a651d7fdc6b147ab1baceebcc31576fccb4ff4d7c516bcad6d7c20b
SHA3-384 hash: c870881feaa666cfdad3c5dd36ea3578edafca0ea326a6724e439053bb673559255885b4e26422af5147abb80e4e70dc
SHA1 hash: 67ed5c94517ddb913275eb5f2d51bff869caa97f
MD5 hash: 9539c852eae0cdec4f4fa24ed5383fa2
humanhash: pip-winter-avocado-fillet
File name:DHL AWB TRACKING DETAILS.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:905'216 bytes
First seen:2020-10-17 06:36:01 UTC
Last seen:2020-10-17 08:03:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:eEB3bO6vtfVtGBRido+qfHtY/n+tx+e+XUYLoXJkv4fKtCtNyql3h6+Q7pzAZoc2:70mo3HtY/VDYSiZ
Threatray 1'261 similar samples on MalwareBazaar
TLSH FA153D3838EA502AF173EEBA8DD475E6995BF7723505986E1062C3060A13A43DFCD93D
Reporter abuse_ch
Tags:DHL exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: server.herooputre.ml
Sending IP: 188.225.25.183
From: DHL OFFICE <management@herooputre.ml>
Subject: DHL NOTIFICATION:- YOUR PACKAGE HAS ARRIVED ON 15/10/2020
Attachment: DHL AWB TRACKING DETAILS.PDF.z (contains "DHL AWB TRACKING DETAILS.exe")

NanoCore RAT C2:
chinomso.duckdns.org

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72454/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader35.1955.30552.19509.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494271
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299586 Sample: DHL AWB TRACKING DETAILS.exe Startdate: 17/10/2020 Architecture: WINDOWS Score: 100 50 chinomso.duckdns.org 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 11 other signatures 2->62 9 DHL AWB TRACKING DETAILS.exe 1 2->9         started        13 dhcpmon.exe 2->13         started        15 dhcpmon.exe 1 2->15         started        17 DHL AWB TRACKING DETAILS.exe 2->17         started        signatures3 process4 file5 48 C:\Users\...\DHL AWB TRACKING DETAILS.exe.log, ASCII 9->48 dropped 66 Injects a PE file into a foreign processes 9->66 19 DHL AWB TRACKING DETAILS.exe 1 12 9->19         started        24 dhcpmon.exe 13->24         started        26 dhcpmon.exe 13->26         started        28 dhcpmon.exe 2 15->28         started        30 WerFault.exe 23 9 17->30         started        signatures6 process7 dnsIp8 52 chinomso.duckdns.org 185.244.30.39, 49767, 49770, 49771 DAVID_CRAIGGG Netherlands 19->52 40 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->40 dropped 42 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->42 dropped 44 C:\Users\user\AppData\Local\...\tmp1C57.tmp, XML 19->44 dropped 46 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->46 dropped 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->64 32 schtasks.exe 1 19->32         started        34 schtasks.exe 1 19->34         started        54 192.168.2.1 unknown unknown 30->54 file9 signatures10 process11 process12 36 conhost.exe 32->36         started        38 conhost.exe 34->38         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3a98a6f65a651d7fdc6b147ab1baceebcc31576fccb4ff4d7c516bcad6d7c20b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 12:36:14 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkmkn5s2muox7xdlcr5ldowo5pgdcv3pzs2p6tl4kfv4vvwxyifq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd
NanoCore
1e9ff9549343dcb17dcb137508657a94e5503579e0e0741443b27c732b62fa5c
NanoCore
404f05e16218e8fd6be8ddbe8b1e902bd523b21213928f2f595b29e0fce42a5a
NanoCore
483338a656b2a7bf095d9bf3ca950419f217acdb9812b3d0013ccc13785f305e
NanoCore
5d4d3a449bd4ed7a879d585c182bad5d7f0ee24d04bc862e5043c344f2bd6f86
NanoCore
6aa3059db34fb36662907183cf3780aac4b4c00e663f261a59aeebc00c03a5c0
NanoCore
7398233b8b5b0e13643fcb65b54db72b99b5d2970415ab41fcdb037a780ade7d
NanoCore
777fba538036151ad62b324ca054357052c7e2bdbc6105c304cbd05cd61ee67f
NanoCore
b8ad7398bf812d51b21f9ec51b8ffba7d3830dac0a949f09acea087066f4368b
NanoCore
f9e386914a47b738dcfe89fadf3021be00c2dfe8824d8326ea79fcd79d3673cc
NanoCore
+ 1'251 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/201017-cmvsx96r2n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
chinomso.duckdns.org:7688
Unpacked files
SH256 hash:
3a98a6f65a651d7fdc6b147ab1baceebcc31576fccb4ff4d7c516bcad6d7c20b
MD5 hash:
9539c852eae0cdec4f4fa24ed5383fa2
SHA1 hash:
67ed5c94517ddb913275eb5f2d51bff869caa97f
Link:
https://www.unpac.me/results/ebe7d114-2923-4847-99ec-d3ec94ef8cc2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a98a6f65a651d7fdc6b147ab1baceebcc31576fccb4ff4d7c516bcad6d7c20b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z a865df8e855d93c1c93ab1d2074a337ee7f494bdf8ac630c3a23ccb19da5de74

NanoCore

Executable exe 3a98a6f65a651d7fdc6b147ab1baceebcc31576fccb4ff4d7c516bcad6d7c20b

(this sample)

  
Dropped by
MD5 d9f9c805db6a6cb8f783193cfa89f6e0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72454/
  
Dropped by
SHA256 a865df8e855d93c1c93ab1d2074a337ee7f494bdf8ac630c3a23ccb19da5de74

Comments