MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6306c2750ef668ad467a0f9ee9a72f40420f52e359233223a1a09a755d837b21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6306c2750ef668ad467a0f9ee9a72f40420f52e359233223a1a09a755d837b21
SHA3-384 hash: 1018788cfe5f40fc1c950eb8adf4f4581eef83e33e0c203399ba31a7e33e4a49cd2ba4ce182f43a1746c1f6070b632b9
SHA1 hash: 327e6195d174bebe19b5bbea5488a37768ef31a4
MD5 hash: dfe9e9df56b720d375c25baec7c4ee85
humanhash: violet-mirror-nebraska-jig
File name:New Order.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:414'720 bytes
First seen:2020-08-07 13:29:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:7xfoeR8b4az3YVoEnhVQVDZd3wMMZ0O/VFk0f9vV6oxcR537RwWHw:7xf78UoOhVsFd3602vRaF5H
Threatray 1'115 similar samples on MalwareBazaar
TLSH 7094AE31225CEFB6E57F97785411110513F2A40AE335EA99BFE950CA0CB1F868FA2F61
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: mail.balticbeach.lv
Sending IP: 195.13.167.102
From: Amy Yang <amy@europlaz.com>
Reply-To: nicolaemanea@yandex.com
Subject: Re:Re: New Order.....
Attachment: New Order.exe

NanoCore RAT C2:
bbenson.ddns.net:3080 (185.244.30.6)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU4
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-07-28T21:04:34Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41663/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
DNS request
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/415332
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 259928 Sample: New Order.exe Startdate: 07/08/2020 Architecture: WINDOWS Score: 100 67 bbenson.ddns.net 2->67 73 Malicious sample detected (through community Yara rule) 2->73 75 Sigma detected: Scheduled temp file as task from temp location 2->75 77 Sigma detected: NanoCore 2->77 79 10 other signatures 2->79 9 New Order.exe 7 2->9         started        13 New Order.exe 4 2->13         started        15 dhcpmon.exe 2->15         started        18 dhcpmon.exe 3 2->18         started        signatures3 process4 dnsIp5 59 C:\Users\user\AppData\Roaming\CZlPizS.exe, PE32 9->59 dropped 61 C:\Users\user\...\CZlPizS.exe:Zone.Identifier, ASCII 9->61 dropped 63 C:\Users\user\AppData\Local\...\tmp3E3F.tmp, XML 9->63 dropped 65 C:\Users\user\AppData\...65ew Order.exe.log, ASCII 9->65 dropped 83 Injects a PE file into a foreign processes 9->83 20 New Order.exe 1 12 9->20         started        25 schtasks.exe 1 9->25         started        27 New Order.exe 9->27         started        29 schtasks.exe 13->29         started        31 New Order.exe 13->31         started        33 New Order.exe 13->33         started        71 192.168.2.1 unknown unknown 15->71 35 schtasks.exe 15->35         started        37 dhcpmon.exe 15->37         started        file6 signatures7 process8 dnsIp9 69 bbenson.ddns.net 185.244.30.6, 3080, 49724, 49725 DAVID_CRAIGGG Netherlands 20->69 53 C:\Program Files (x86)\...\dhcpmon.exe, PE32 20->53 dropped 55 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 20->55 dropped 57 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 20->57 dropped 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->81 39 schtasks.exe 1 20->39         started        41 schtasks.exe 1 20->41         started        43 conhost.exe 25->43         started        45 conhost.exe 29->45         started        47 conhost.exe 35->47         started        file10 signatures11 process12 process13 49 conhost.exe 39->49         started        51 conhost.exe 41->51         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6306c2750ef668ad467a0f9ee9a72f40420f52e359233223a1a09a755d837b21/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-08-07 11:19:58 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmdme5io6zuk2rt2b6potjzpibba6uxdlertei5bucnhkxmdpmqq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
007496b08a75c10d024eaa0fb68783f9a012e8f707edbd804d3268e68496d3e6
NanoCore
08c1ed3585826baa8e470be4c446478a895317380573ef787e53afdc264569e3
NanoCore
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
NanoCore
786e5ea538d875c628433d6cf45abd9559ede017b01b3fca8eb3bfc6dbc66f12
NanoCore
91966b77a6acc2fd64c773d8797a505c40ecd272ebb4b44a5757990b5e4939c5
NanoCore
9d44ded1da60c6d985cd16f0b98954f746f83f3d7d093f15f30a88eb14441e0a
NanoCore
c906c5770bebca31da7c8da7a639ec54531022d2a88bc133f89f793e7a3d737d
NanoCore
d2dbd686e32057f85bd87cd34af193f3ebf6e6f99de996da2a8dcc533d9ad19f
NanoCore
ea4115e347193aa868162072e3db30d9652650aa2915726aa83d91beb202b9bb
NanoCore
f6418cb1cf7a9024b0a8e7f736c45f0a7e8aaa5ecd2d41241f20a56ea05ccf07
NanoCore
+ 1'105 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200807-s8la52a9p6/
Behaviour
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
NanoCore
Malware Config
C2 Extraction:
bbenson.ddns.net:3080
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/6306c2750ef668ad467a0f9ee9a72f40420f52e359233223a1a09a755d837b21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 6306c2750ef668ad467a0f9ee9a72f40420f52e359233223a1a09a755d837b21

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/41663/

Comments