MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 708e8ea4397b44ad8e1ea8ef53b0697dec1e09b6c454c7bf4654120e04a903f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 708e8ea4397b44ad8e1ea8ef53b0697dec1e09b6c454c7bf4654120e04a903f8
SHA3-384 hash: 49a13192af2175c757917b935041e1b4d5d23be860e0a2aec4d38de00e8b1dd4769f389ce9fbdf6ff490655fa74ae755
SHA1 hash: 65330784185defd5c70579e697565828805332b3
MD5 hash: d400f891031192908e80635dd6ac9cee
humanhash: magazine-cardinal-orange-hamper
File name:uK4c13RrZFN6qJo.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:535'040 bytes
First seen:2020-08-27 05:44:43 UTC
Last seen:2020-08-27 07:19:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:bx69nc8r3qhLPLuRS0KTXNDMyErf0ChHH:k5Tr3qpuRSfTX3ErfrH
Threatray 1'116 similar samples on MalwareBazaar
TLSH A5B4126403BCCF08DAEF1FF9487D324043F1B9969594D3999B98D2A734D6BA0CA21763
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: gmail.com
Sending IP: 209.58.149.66
From: Christy Kwan <nadotubesales@gmail.com>
Subject: Check Bank Details
Attachment: INVOICE.Z (contains "uK4c13RrZFN6qJo.exe")

NanoCore RAT C2:
185.140.53.28:1985

Hosted on nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU3
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-07-28T20:56:03Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51596/
Detection(s):
SecuriteInfo.com.Fareit-FYVD400F8910311.26209.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
NanoCore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/452293
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 278507 Sample: uK4c13RrZFN6qJo.exe Startdate: 27/08/2020 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 9 other signatures 2->46 7 uK4c13RrZFN6qJo.exe 7 2->7         started        11 dhcpmon.exe 4 2->11         started        process3 file4 26 C:\Users\user\AppData\...\gBxjwKtdrP.exe, PE32 7->26 dropped 28 C:\Users\...\gBxjwKtdrP.exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\AppData\Local\...\tmp24CF.tmp, XML 7->30 dropped 32 C:\Users\user\...\uK4c13RrZFN6qJo.exe.log, ASCII 7->32 dropped 48 Writes to foreign memory regions 7->48 50 Allocates memory in foreign processes 7->50 52 Injects a PE file into a foreign processes 7->52 54 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->54 13 RegSvcs.exe 1 13 7->13         started        18 schtasks.exe 1 7->18         started        20 RegSvcs.exe 7->20         started        22 conhost.exe 11->22         started        signatures5 process6 dnsIp7 38 185.140.53.28, 1985, 49723 DAVID_CRAIGGG Sweden 13->38 34 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 13->34 dropped 36 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->36 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->56 24 conhost.exe 18->24         started        file8 signatures9 process10
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/708e8ea4397b44ad8e1ea8ef53b0697dec1e09b6c454c7bf4654120e04a903f8/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-27 05:46:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ochi5jbzpnck3dq6vdxvhmdjpxwb4cnwyrkmpp2gkqja4bfjap4a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0c2e1c5be8a1cdbad1b22fbaf5e376881c436caca2de9037188edad1ab000ea2
NanoCore
15ea783eaed5ea26907b2c782e5e201a56f2fe0a76005bb42a0b1ae72fe05c9f
NanoCore
2ece9ea188efe1c9818ed0dd874ddcc1f88466baefb8bf369917be577ca006d6
NanoCore
384e9e2987d36d51e9a29f4e780a1f87e852f6e57a28d62930144e7a2ac9c852
NanoCore
57227e050e647b24bd8029baecc2cf918c67bd3396af98dae1b6a87d37edc12c
NanoCore
7b23ee97c4ef7c1756202b63bf98f9b4e3235cd715cfa639368f7fa30f14ac26
NanoCore
8bd67af43b81d9303bc114e81c598c9ae1cb4d55315c750ae3eea3691513c94f
NanoCore
9b1328490717e1e3c97216a17bf36b67103a40dae3bbac6865487e51fea82b32
NanoCore
b0813d378a8beb9c5ffa76eff2a030482a0b1b8a011b455db9186de4508b3ece
NanoCore
b320085d9b4a8bbb0573f39896e3c812f24a11628ffcdf0895611bfa2b0a5354
NanoCore
+ 1'106 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200827-e3fe9khf42/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
NanoCore
Malware Config
C2 Extraction:
185.140.53.28:1985
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/708e8ea4397b44ad8e1ea8ef53b0697dec1e09b6c454c7bf4654120e04a903f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z f8ab2b23003d25ec24f3e29ed9c1e9b97fa76533f1d83deb282837492f16b146

NanoCore

Executable exe 708e8ea4397b44ad8e1ea8ef53b0697dec1e09b6c454c7bf4654120e04a903f8

(this sample)

  
Dropped by
MD5 08757a7f8365058340a3d7adb3ea54b5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f8ab2b23003d25ec24f3e29ed9c1e9b97fa76533f1d83deb282837492f16b146
Cape
Cape
https://www.capesandbox.com/analysis/51596/

Comments