MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73a7025d8defa4e9b7d588f8b9f35f414a2bd7e2d08816ab8e2c3482bbdfc7ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73a7025d8defa4e9b7d588f8b9f35f414a2bd7e2d08816ab8e2c3482bbdfc7ef
SHA3-384 hash: 4f6e0c4854f7c9e68a06e4ee32d5546e7391fa085063dc23ad5bd01a87e5cf7e56214ee3936d370f50e413fa764df481
SHA1 hash: 7133a2c1e6d700f09c6a1fedb9ee856697de74f0
MD5 hash: dcccc31645c846e20dc699e1dc320662
humanhash: one-fish-pluto-hamper
File name:Bestellung 2020-032208.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:640'512 bytes
First seen:2020-10-27 09:53:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:m6KOgd9ap9BzV+S5ENZcuilA5Cxb+W/azUpsYKx+78UQsWlqT:Bq9ap99VpMT/WJ++7m5qT
Threatray 57 similar samples on MalwareBazaar
TLSH D5D412EB7F6A8AD1EDAD0DB1B4365003A3B7AC0D7C12D28A4C5EB1E60D7B7500706996
Reporter abuse_ch
Tags:DEU exe geo NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

From: info@heute-gmbh.de
Reply-To: rw07472@mail.com
Subject: Bestellung 2020-032208
Attachment: Bestellung 2020-032208.iso (contains "Bestellung 2020-032208.exe")

NanoCore RAT C2:
69tallboy.ddns.net:1155 (185.165.153.28)

Poitning to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-UK
country: GB
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-10-26T17:45:15Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Agenttesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79756/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Windows shutdown
Sending a TCP request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/513230
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Detected Nanocore Rat
Drops PE files to the startup folder
Drops PE files to the user root directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 305729 Sample: Bestellung 2020-032208.exe Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 52 cdn.onenote.net 2->52 54 69tallboy.ddns.net 2->54 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for dropped file 2->68 70 14 other signatures 2->70 9 Bestellung 2020-032208.exe 4 2->9         started        13 RegAsm.exe 2 2->13         started        signatures3 process4 file5 48 C:\Users\user\ytredfghj, PE32 9->48 dropped 50 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 9->50 dropped 72 Maps a DLL or memory area into another process 9->72 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->74 15 RegAsm.exe 8 9->15         started        20 Bestellung 2020-032208.exe 1 9->20         started        22 cmd.exe 1 9->22         started        24 RegAsm.exe 9->24         started        26 conhost.exe 13->26         started        signatures6 process7 dnsIp8 56 69tallboy.ddns.net 185.165.153.28, 1155, 49715, 49719 DAVID_CRAIGGG Netherlands 15->56 44 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 15->44 dropped 46 C:\Users\user\AppData\Local\...\tmp3A32.tmp, XML 15->46 dropped 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->58 28 schtasks.exe 1 15->28         started        60 Writes to foreign memory regions 20->60 62 Maps a DLL or memory area into another process 20->62 30 cmd.exe 1 20->30         started        32 RegAsm.exe 2 20->32         started        34 conhost.exe 22->34         started        36 choice.exe 1 22->36         started        file9 signatures10 process11 process12 38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        42 choice.exe 1 30->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73a7025d8defa4e9b7d588f8b9f35f414a2bd7e2d08816ab8e2c3482bbdfc7ef/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 08:03:22 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ootqexmn56sotn6vrd4lt427iffcxv7c2cebnk4ofq2ifo67y7xq._file
Verdict:
malicious
Similar samples:
11fc39cf459b554a292a4d4227671f045e5959ecc3e3e13ba1fa06510ac04d4c
NanoCore
1d21886bb28a6dfb2f331cb95cf7b74dbb5ae79dc70bbcd7451f15afd53999e1
NanoCore
4cc5f468994fd62cc832482404cfc7e45232f059b9d355d3df41535a170b3470
NanoCore
5b27db23756f4ddbd30a3875e30cdbff6cdcc1650a46e3c5a032da6f85cfdceb
NanoCore
63e8813f98c05a02ae1c868adf8ca82aabc49e5eadd33368f036440d4116849e
NanoCore
777fba538036151ad62b324ca054357052c7e2bdbc6105c304cbd05cd61ee67f
NanoCore
83db97610db35554df4061ac1370a10dcda2006d212f4d17e741cfdfdf6264cb
NanoCore
a02ddaa108e3ffefb5b7024adf7190b5eadbd7b73d91f7380aeaffbd01b4cbf4
NanoCore
b24d44a75e9eead799bb3414d25736c73c172184ba580d19397d1fc7cba3aea2
NanoCore
f78baea8cd0a3e4803ae1432b39a2d24d6fdda6e1ace1c8e78f6908a4f63d099
NanoCore
+ 47 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore
Link:
https://tria.ge/reports/201027-kmbxxna86x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
NanoCore
Malware Config
C2 Extraction:
69tallboy.ddns.net:1155
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso 25a2f0977ffeb710c56b612fafee82fbf75d9f671887633706f48e706eb68535

NanoCore

Executable exe 73a7025d8defa4e9b7d588f8b9f35f414a2bd7e2d08816ab8e2c3482bbdfc7ef

(this sample)

  
Dropped by
MD5 f841f2b0e3073e80e61f14e2cad8901a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 25a2f0977ffeb710c56b612fafee82fbf75d9f671887633706f48e706eb68535
Cape
Cape
https://www.capesandbox.com/analysis/79756/

Comments