MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fa0d2b187fff4aa38d7fe7690608068aa1469b0f2de4391947027553723b43b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fa0d2b187fff4aa38d7fe7690608068aa1469b0f2de4391947027553723b43b
SHA3-384 hash: ba051cea3d8f6d82ff6999ccb17456063f7a92f218b4ba1b5241a24cb07c9c07d49d77f72ba9240fc695d942106754be
SHA1 hash: 5b472e5343abf36a9699f5e126329b9c43ca717a
MD5 hash: 0c83a25f8931ce8ad0123bfee73d27c7
humanhash: mike-magazine-network-august
File name:Doc_0143_07242020.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:766'464 bytes
First seen:2020-07-24 13:17:35 UTC
Last seen:2020-07-24 17:10:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a95f64f710239fabb14f8033aa8f32db (5 x AgentTesla, 4 x Loki, 2 x MassLogger)
ssdeep 12288:4IFIvtUFqW6lJMK5/ZCasg48z1IWPhetOLyH/iwjgK5GevvpAryilSyv+CNw:PktUD6lJMmsL8KWPc1pjgKoQpUyTyvW
Threatray 3'251 similar samples on MalwareBazaar
TLSH 00F4B0E2E2E14833D1A7173BCD1B9E789839BD103D249A462BF55C0CAF396C174762A7
Reporter jarumlus
Tags:NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32200/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.18936.27272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/397406
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 250941 Sample: Doc_0143_07242020.exe Startdate: 24/07/2020 Architecture: WINDOWS Score: 100 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Multi AV Scanner detection for dropped file 2->98 100 13 other signatures 2->100 10 Doc_0143_07242020.exe 2->10         started        13 Doc_0143_07242020.exe 2->13         started        15 wpasv.exe 2->15         started        17 wpasv.exe 2->17         started        process3 signatures4 106 Detected unpacking (changes PE section rights) 10->106 108 Detected unpacking (creates a PE file in dynamic memory) 10->108 110 Detected unpacking (overwrites its own PE header) 10->110 112 Contains functionality to detect sleep reduction / modifications 10->112 19 Doc_0143_07242020.exe 1 14 10->19         started        24 Doc_0143_07242020.exe 10->24         started        114 Maps a DLL or memory area into another process 13->114 26 Doc_0143_07242020.exe 13->26         started        28 Doc_0143_07242020.exe 3 13->28         started        30 wpasv.exe 15->30         started        32 wpasv.exe 3 15->32         started        34 wpasv.exe 17->34         started        36 wpasv.exe 17->36         started        process5 dnsIp6 92 izu2128.hopto.org 185.244.29.131, 2128, 49736, 49737 DAVID_CRAIGGG Netherlands 19->92 82 C:\Program Files (x86)\...\wpasv.exe, PE32 19->82 dropped 84 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 19->84 dropped 86 C:\Users\user\AppData\Local\...\tmp6159.tmp, XML 19->86 dropped 88 C:\...\wpasv.exe:Zone.Identifier, ASCII 19->88 dropped 104 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->104 38 schtasks.exe 1 19->38         started        40 schtasks.exe 1 19->40         started        42 Doc_0143_07242020.exe 26->42         started        90 C:\Users\user\...\Doc_0143_07242020.exe.log, ASCII 28->90 dropped 45 wpasv.exe 30->45         started        47 wpasv.exe 34->47         started        file7 signatures8 process9 signatures10 49 conhost.exe 38->49         started        65 2 other processes 38->65 51 conhost.exe 40->51         started        116 Maps a DLL or memory area into another process 42->116 53 Doc_0143_07242020.exe 42->53         started        55 Doc_0143_07242020.exe 42->55         started        57 wpasv.exe 45->57         started        59 wpasv.exe 45->59         started        61 wpasv.exe 47->61         started        63 wpasv.exe 47->63         started        process11 process12 67 Doc_0143_07242020.exe 53->67         started        70 wpasv.exe 57->70         started        72 wpasv.exe 61->72         started        signatures13 102 Maps a DLL or memory area into another process 67->102 74 Doc_0143_07242020.exe 67->74         started        76 Doc_0143_07242020.exe 67->76         started        78 wpasv.exe 70->78         started        80 wpasv.exe 70->80         started        process14
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6fa0d2b187fff4aa38d7fe7690608068aa1469b0f2de4391947027553723b43b/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-24 07:35:20 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6qnfmmh772kuogx7z3jayeancvbi2nq6lpehemuoatvknzdwq5q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0851af08d99952725abad6b8848bf8229c8db04ea48e53d5c35d59229b746da7
NanoCore
290404d235fcb1fd5f5656a2d4b755416100c005f27f7f7fcbed7dfcdb9c2a2b
NanoCore
3bb9ecd9c2bb6b01ce8fe60b5301260dfb60de81c02517a1080dec678f7c1377
NanoCore
400503c940e526fb69ee4ed11c7e23a0823dcb610eeb02619b460de0f3b2e21b
NanoCore
7276f014cbee4a7ffd297a0e90472bfa17b024932cb6371a06c0845e143b88e1
NanoCore
a14f4263c002e77e88fa98957e19288e2076ad78d83c2247617f1a209d55a7a7
NanoCore
c2131d5a839d002b20f39535bf1ec0245059d3c2c54645d72e94fb0f37ce5700
NanoCore
c7735f6ac2f05ee86942e0d7432cedecd7aa0cefd8d706e300b5bd0de9acb40d
NanoCore
cfef6a351694bc6791363017e38cb725e77fef94af81a03a67186b97f1b3902a
NanoCore
f304855a11aedd539b9bdb686b1d5781e0d7080560f9520c6bda8586947b3285
NanoCore
+ 3'241 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200724-xfrak1ydf6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
UPX packed file
NanoCore
Malware Config
C2 Extraction:
izu2128.hopto.org:2128
185.244.29.131:2128
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fa0d2b187fff4aa38d7fe7690608068aa1469b0f2de4391947027553723b43b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip d94f28e0e9d23516aa6cb3fa68a5fcc38ce7c5c8c0ed03d1b9d447710a7b9b28

NanoCore

Executable exe 6fa0d2b187fff4aa38d7fe7690608068aa1469b0f2de4391947027553723b43b

(this sample)

  
Dropped by
MD5 e862153814ced3a00701cbe152050986
  
Dropped by
SHA256 d94f28e0e9d23516aa6cb3fa68a5fcc38ce7c5c8c0ed03d1b9d447710a7b9b28
  
Dropped by
NanoCore
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/32200/

Comments