MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cc5f468994fd62cc832482404cfc7e45232f059b9d355d3df41535a170b3470. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	4cc5f468994fd62cc832482404cfc7e45232f059b9d355d3df41535a170b3470
SHA3-384 hash:	24c9c1a8906e11942e99912bd1923064f18e372807f199e95a1854a136a2cc2cec9d1186fda8a4d876929b639e3e4281
SHA1 hash:	3fb6fa1aa4de8ec86ee1921127993c392cf65582
MD5 hash:	506e8290af1d7197477063d84ff144f1
humanhash:	echo-low-charlie-south
File name:	IMO Advisory 2020.pdf.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	991'005 bytes
First seen:	2020-07-13 11:25:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep	24576:6NA3R5drXdt8mHswGmKD99MYNAH29jZFQYcHO6l2le7O:z5b8c7GnR9y29jZ63Ile7O
Threatray	1'578 similar samples on MalwareBazaar
TLSH	BD251202BAC644B2E5731D361D36A321AD7CBE302E25DE5FA7D40D6D9A311C1A235FA3
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: hermancarlo.com
Sending IP: 162.210.98.146
From: International Maritime Organization(IMO) <E-Memo@imo.org>
Subject: Fwd: IMO Circulars
Attachment: IMO Advisory 2020.uue (contains "IMO Advisory 2020.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/25231/

Detection(s):

Win.Malware.Autoit-7599063-0

PUA.Win.Downloader.Aiis-6803892-0

SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file in the %temp% directory

Creating a file in the %AppData% subdirectories

Launching a process

Deleting a recently created file

DNS request

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Sending a TCP request to an infection source

Enabling autorun with Startup directory

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/4cc5f468994fd62cc832482404cfc7e45232f059b9d355d3df41535a170b3470/

Threat name:

Win32.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-07-13 04:45:23 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jtc7i2ezj7lczsbsjasajt6h4rjdf4czxhjvlu67ifjvufylgrya._file

Verdict:

malicious

Label(s):

nanocorerat

hawkeyekeylogger

emotet

NanoCore

38701fe4b63d1436ba2e26cc7e268327299b58bcccbf074bfb2cbbcf57ceb2ea

NanoCore

4c4881464fd7d95cfe2d60dfd7beff8dd9c3426c15c945500db1e8714374556c

NanoCore

6066b9b33c7336497e3fe0b7b0eb04c8fa8d27accdaad763658cd29865b2236e

NanoCore

61f312d2472d658a6570f3e96fc4543309a304d9415e86b1c9306f2baacc9563

NanoCore

7caf2e20a5d049ccf8aa3935fd8517e77d5e7e7e0322ceca894b9baad970aca2

NanoCore

a259ab9f2ce1c874205cd31ac2f4ff924955caf2a81396b400dceb2438ff8921

NanoCore

ae9576df43dd4f5e8d48c6774e7bbbd1a6baaad219c4022dd49af9fdaec57d61

NanoCore

b78996718e94fe9cf9cc228f474b774fd7bd54133762d183ba2e6c141b3a218a

NanoCore

d71b477cd43b0b25d958391d04579451cdcc8ea6f3cb880459822a17361ebc62

NanoCore

+ 1'568 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

persistence keylogger trojan stealer spyware family:nanocore evasion

Link:

https://tria.ge/reports/200713-fzgjkct51n/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run entry to start application

Loads dropped DLL

Executes dropped EXE

NanoCore

Malware Config

C2 Extraction:

leewardmarineservices.mywire.org:54985
leewardmarineservices.duckdns.org:54985

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/