MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c3162eaafbc94bfa239e84ba966a8e3ce431b7ebff852f2bc4c27a0d9fdae70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c3162eaafbc94bfa239e84ba966a8e3ce431b7ebff852f2bc4c27a0d9fdae70
SHA3-384 hash: af9582323bb168b5e9704cfc5fff2920a883c6b8961e2e642be0da71ca139da0dc0fe56e86e749224fdef55e5a2c3d70
SHA1 hash: b296c8580bb34549d174d240e61aa321a05f43f4
MD5 hash: bfd0fbb09fa49540eb974ba321ee4b5e
humanhash: victor-romeo-avocado-mississippi
File name:quotation.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:777'216 bytes
First seen:2020-10-19 07:24:23 UTC
Last seen:2020-10-19 08:23:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:1jtNuxxKtQoPLRPDG6z767CJqCtvETsxoe2a+thARuo:1nuxUt9PLRPDZzJqddm
Threatray 1'177 similar samples on MalwareBazaar
TLSH 0AF4AE0466895F58F07E97325264045093F6BD02CB78C81FBDD93AD91E32F82CB77A9A
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: serve0.pacificstargroups.pw
Sending IP: 192.129.245.90
From: Al Asham Jaafer <A.jaafer@dlxgroup.com>
Reply-To: essen_salvan@yahoo.com
Subject: RFQ: Quotation Request
Attachment: Quotation.rar (contains "quotation.exe")

NanoCore RAT C2:
79.134.225.117:2180

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72781/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.30206.2269.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495001
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299968 Sample: quotation.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Sigma detected: Scheduled temp file as task from temp location 2->41 43 9 other signatures 2->43 8 quotation.exe 3 2->8         started        12 quotation.exe 2 2->12         started        process3 file4 27 C:\Users\user\AppData\...\quotation.exe.log, ASCII 8->27 dropped 45 Injects a PE file into a foreign processes 8->45 14 quotation.exe 12 8->14         started        19 quotation.exe 2 12->19         started        21 quotation.exe 12->21         started        signatures5 process6 dnsIp7 33 79.134.225.117, 2180, 49715 FINK-TELECOM-SERVICESCH Switzerland 14->33 29 C:\Users\user\AppData\Roaming\...\run.dat, data 14->29 dropped 31 C:\Users\user\AppData\Local\...\tmp1B1C.tmp, XML 14->31 dropped 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->35 23 schtasks.exe 1 14->23         started        file8 signatures9 process10 process11 25 conhost.exe 23->25         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c3162eaafbc94bfa239e84ba966a8e3ce431b7ebff852f2bc4c27a0d9fdae70/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 03:15:36 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nqywf2vpxskl7irz5bf2szvi4phegg36x74ff4v4jqt2bwp5vzya._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
13f1fde2f8426f9ee2addd7ff3a710d9fb7042d875fdf3f0e8e080030da53b83
NanoCore
1b9cbd60298e5be7b6c5813a3c03bd423ae73364049848c44145b9c079fd0adc
NanoCore
2035071dea13b48db2cc9248961f3f55a41e60b0b346f190a3a69b75670b99bc
NanoCore
2a24ffa6d726a44c5622fde2eac0f0e770063abf5bcca8f9b33c097677aed2a9
NanoCore
4636055b5170ddb11d94a466c0c93e57ad40caf68a036274bdf2ded620a22bce
NanoCore
a1422a68552a1a97bdc63ca454352d1fd780056b38582e7f82bf12f6fc23593e
NanoCore
b5ba143b36eb77a1899c07ef016155b3b7ef73b83456cadf534245896360b902
NanoCore
b84aa5ba2bf1c040d2f318a7f5ff77ee7e8e98a33c458f32c737106568549879
NanoCore
ea8e298e37b422ef62a77c300ee7f60fba2336f457c3b70c135b981025d840c3
NanoCore
fd1f86d98d28f8e9ae73acf4609e8cc0e669e97495c7d9bf679151b47432e005
NanoCore
+ 1'167 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/201019-est7fzqpg6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
79.134.225.117:2180
Unpacked files
SH256 hash:
6c3162eaafbc94bfa239e84ba966a8e3ce431b7ebff852f2bc4c27a0d9fdae70
MD5 hash:
bfd0fbb09fa49540eb974ba321ee4b5e
SHA1 hash:
b296c8580bb34549d174d240e61aa321a05f43f4
Link:
https://www.unpac.me/results/352b3977-469a-4b83-9df4-4a9466796456/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/352b3977-469a-4b83-9df4-4a9466796456/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c3162eaafbc94bfa239e84ba966a8e3ce431b7ebff852f2bc4c27a0d9fdae70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 06d209c64be78162527a71f37d736111cacf9061c69811b11d9221d1e8664835

NanoCore

Executable exe 6c3162eaafbc94bfa239e84ba966a8e3ce431b7ebff852f2bc4c27a0d9fdae70

(this sample)

  
Dropped by
MD5 4f127bbb7a6ca0683b252e5eda0fe6a0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72781/
  
Dropped by
SHA256 06d209c64be78162527a71f37d736111cacf9061c69811b11d9221d1e8664835

Comments