MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68bdf2747408e5f948696b4285faf5c9f87aea79272212d96895f1978201270f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 12 File information Comments

SHA256 hash:	68bdf2747408e5f948696b4285faf5c9f87aea79272212d96895f1978201270f
SHA3-384 hash:	dda6f411ac99f52ca385f4d595245ac5f4628948e7ec6eab68593984bb3890daf8a8cbbc4e6bd60e8a6edcc8d0946495
SHA1 hash:	536fa825af8b13f342e3de6a9788ced939f2358d
MD5 hash:	2688e5ad80c30dc73f6d07bc1aeaae4f
humanhash:	diet-football-three-december
File name:	2688e5ad80c30dc73f6d07bc1aeaae4f.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	249'856 bytes
First seen:	2021-12-01 14:32:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep	6144:k9dta6dtJmakIM5Kke2mTIWCJ3vokCALV6h:stpmkfke2mTI1Jfok1LV6h
Threatray	3'565 similar samples on MalwareBazaar
TLSH	T19D34D016BBA5853FD19E49BC61114212877CD2E3ADD3F3EF68E414A68F263E10A0B1D7
Reporter	abuse_ch
Tags:	exe NanoCore RAT

abuse_ch

NanoCore C2:
82.215.114.147:7777

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
82.215.114.147:7777	https://threatfox.abuse.ch/ioc/256829/

Intelligence

File Origin

# of uploads :

# of downloads :

228

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2688e5ad80c30dc73f6d07bc1aeaae4f.exe

Verdict:

Malicious activity

Analysis date:

2021-12-01 15:06:32 UTC

Tags:

rat nanocore

Link:

https://app.any.run/tasks/48e2195c-0fce-4386-8463-8a7ca99b680d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Neshta

Link:

https://www.capesandbox.com/analysis/210347/

Detection(s):

Win.Trojan.Neshuta-1

PUA.Win.Packer.Pequake-4

Win.Trojan.NanoCore-9852758-0

Win.Virus.Neshta-7101689-0

Win.Packed.Generic-9777790-0

Win.Trojan.Generic-9783914-0

Win.Dropper.Nancrat-9869495-0

Win.Trojan.Nanocore-5

Win.Trojan.Jadtre-5

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file in the Windows directory

Modifying an executable file

Creating a window

Creating a file in the %AppData% subdirectories

Creating a file in the Program Files subdirectories

Creating a file

Launching a process

Searching for the window

Searching for synchronization primitives

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Enabling autorun with the shell\open\command registry branches

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Infecting executable files

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

0/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/445/overview

Behaviour

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware nanocore neshta overlay packed rat

Link:

https://www.filescan.io/uploads/61a7876986bf67e7121d78c7/reports/335efc90-25d1-4016-b567-dafd4c49c279/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NanoCoreRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1034d1b8-8112-4ce3-8682-7407dd61a106

Result

Threat name:

Nanocore Neshta Thanos

Detection:

malicious

Classification:

rans.spre.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/899491

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Detected Nanocore Rat

Drops executable to a common third party application directory

Drops PE files with a suspicious file extension

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Protects its processes via BreakOnTermination flag

Sigma detected: NanoCore

Sigma detected: Suspicius Add Task From User AppData Temp

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Nanocore RAT

Yara detected Neshta

Yara detected Thanos ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/68bdf2747408e5f948696b4285faf5c9f87aea79272212d96895f1978201270f/

Threat name:

Win32.Virus.Neshta

Status:

Malicious

First seen:

2021-11-27 00:43:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

44 of 45 (97.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nc67e5dubds7ssdjnnbil6xvzh4hv2tze4rbfwlisxyzpaqbe4hq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110

NanoCore

3d8811d64e17d5ea06d0edae6163b90b2400d06d9afa60ae689d6fe9232bca86

NanoCore

4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9

NanoCore

5a8b4dc95322eed89a2c77350395f8c1f79394369bebec84703ae285092a37f5

NanoCore

7ceb354c4f419b3daed055ae62d5b1aaf58a7b715f8e9de08e5379e7e70ebeb6

NanoCore

9f96527c9f839559485e89c5c5ff8f95708035fd55c9fac0c2edf3764224d860

NanoCore

9fc2ec9a478ddf812c9687c805f340989dc0af33b48100ec6621e422035ce579

NanoCore

ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32

NanoCore

+ 3'555 additional samples on MalwareBazaar

Result

Malware family:

neshta

Score:

10/10

Tags:

family:nanocore family:neshta evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/211201-rwbhxagaa8/

Behaviour

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Adds Run key to start application

Checks whether UAC is enabled

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Modifies system executable filetype association

NanoCore

Neshta

Malware Config

C2 Extraction:

joja.ddns.net:7777
127.0.0.1:7777

Unpacked files

SH256 hash:

68bdf2747408e5f948696b4285faf5c9f87aea79272212d96895f1978201270f

MD5 hash:

2688e5ad80c30dc73f6d07bc1aeaae4f

SHA1 hash:

536fa825af8b13f342e3de6a9788ced939f2358d

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/0ee5c45a-189c-4422-b9ed-20ddfd8c8f61/

Malware family:

NanoCore

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/68bdf2747408/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/68bdf2747408e5f948696b4285faf5c9f87aea79272212d96895f1978201270f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	MALWARE_Win_NanoCore Create hunting rule
Author:	ditekSHen
Description:	Detects NanoCore

Rule name:	MALWARE_Win_Neshta Create hunting rule
Author:	ditekSHen
Description:	Detects Neshta

Rule name:	MAL_Neshta_Generic Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	MAL_Neshta_Generic_RID2DC9 Create hunting rule
Author:	Florian Roth
Description:	Detects Neshta malware
Reference:	Internal Research

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Feb18_1_RID2DF1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	Nanocore_RAT_Gen_2_RID2D96 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/