MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49734ef67be2f2a71545820ed6258683d03a9aa3a97db586aea7d148090b4fa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	49734ef67be2f2a71545820ed6258683d03a9aa3a97db586aea7d148090b4fa4
SHA3-384 hash:	0ca2f094854aff797259fc88f36e01157f07a0aaa0744b8a94534059b48b08d09b6e8559ade93a30f8000b2a3a3fe77c
SHA1 hash:	51c810bafc63b80f2b638d8276f652ef57cbbd35
MD5 hash:	ac1643b6b68e34738444b6deff74f8f0
humanhash:	foxtrot-colorado-don-lima
File name:	ac1643b6b68e34738444b6deff74f8f0.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	635'904 bytes
First seen:	2020-07-06 06:25:59 UTC
Last seen:	2020-07-06 06:38:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'628 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:OEIFqJbLjlvP0CAbNPtoE3FLAaxqrhP33gSkcIq4qk+fm/xHaWAZXiZ:OyPlUCAbNPtB8QSVJk+fm5HaRdiZ
Threatray	1'189 similar samples on MalwareBazaar
TLSH	24D401164F984225E5FD237D52B3C3728BB12E92A643E70B9AC87E077DBF7C14522162
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

NanoCore RAT C2:
mogs20.hopto.org:1085 (185.244.30.251)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@FOS-VPN.org'

inetnum: 185.244.30.0 - 185.244.30.255
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: 185.244.30.0/24 belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
country: EU
org: ORG-SL751-RIPE
admin-c: SL12644-RIPE
tech-c: SL12644-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-06-03T09:20:12Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/20792/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.34125472.7922.12148.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

Creating a file in the %AppData% subdirectories

DNS request

Forced shutdown of a system process

Connection attempt to an infection source

Enabling autorun with Startup directory

Unauthorized injection to a system process

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/49734ef67be2f2a71545820ed6258683d03a9aa3a97db586aea7d148090b4fa4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-06 03:28:18 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jfzu55t34lzkofkfqihnmjmgqpidvgvdvf63lbvou7iuqcilj6sa._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

0fb26042a8a31d0db10d1302875a6f44d5aa5dd369b309795172dc957eef5c4a

NanoCore

19cb38547f3fd2c587aea5193730165d1e0706324b79c9cd60c809a23d73497a

NanoCore

266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34

NanoCore

ad9b31618184bb980a5e825fcb465913f3002077043fc5e3a761653473a4dce0

NanoCore

b021142c3c9575a16eb787ba56f17e01925370db0b3d24afa41145b83f8f094f

NanoCore

c21ee6cfa09a79362a7f3b03781a7f252d10b41da48dea433e06fe4a0df26eee

NanoCore

d0a9cde7ebed2daf4306e0e76a341e6c4293bf9904ed464f5bfcb462dc0999d0

NanoCore

f9614b985dcb06d9c40448e4ecf1a94ce2cd69e54f6acbeca7b6deec54aafdb3

NanoCore

fa8b5da63665ba268ec6923aa0bd26662e9dea318d80a7ab659065724c94868a

NanoCore

+ 1'179 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

keylogger trojan stealer spyware family:nanocore evasion

Link:

https://tria.ge/reports/200706-ez7rr2m8gx/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Reads user/profile data of web browsers

Drops startup file

Uses the VBS compiler for execution

NanoCore

Malware Config

C2 Extraction:

mogs20.hopto.org:1085
185.244.30.251:1085

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/