MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 777fba538036151ad62b324ca054357052c7e2bdbc6105c304cbd05cd61ee67f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 777fba538036151ad62b324ca054357052c7e2bdbc6105c304cbd05cd61ee67f
SHA3-384 hash: eda29cf297dd759a788e5218da4333653df4eab80b4197cf8c27bd8363008f7e88500b2dc80347c63c40db288c4338ca
SHA1 hash: 25fa1ae027ee1a35922c5657fff2c929d99307b5
MD5 hash: 53c14813f2418066afe42f028670aecc
humanhash: hamper-delta-speaker-batman
File name:53c14813f2418066afe42f028670aecc.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:435'712 bytes
First seen:2020-07-16 19:12:12 UTC
Last seen:2020-07-16 20:12:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:+zbT48cXj/z8DfDsTkLBpzA+rJygqsZDWUb8Ywg5MtAg00YLJC/A4DmMkvzg6kXd:+zbFDAkp2sZC+R2AgSLJmA4aRVl
Threatray 1'323 similar samples on MalwareBazaar
TLSH FF94BF1657E8CB2FD16E727E95A3402247B5E587E892F7CF9B4824EE1443380992337B
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
NanoCore RAT C2:
netccwomo.duckdns.org:9090 (185.140.53.63)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-NL4-BE
country: EU
descr: Amsterdam, Netherlands
descr: Brussels, Belgium
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-07-14T13:31:17Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27045/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.58841.26389.18208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file in the %AppData% subdirectories
DNS request
Connection attempt to an infection source
Forced shutdown of a system process
Enabling autorun with Startup directory
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/388840
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246604 Sample: clhXdk3J5h.exe Startdate: 18/07/2020 Architecture: WINDOWS Score: 100 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for dropped file 2->86 88 9 other signatures 2->88 13 clhXdk3J5h.exe 2 2->13         started        process3 file4 74 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 13->74 dropped 100 Drops PE files to the startup folder 13->100 102 Maps a DLL or memory area into another process 13->102 17 clhXdk3J5h.exe 1 13->17         started        20 RegAsm.exe 9 13->20         started        signatures5 process6 dnsIp7 78 Maps a DLL or memory area into another process 17->78 24 clhXdk3J5h.exe 1 17->24         started        27 RegAsm.exe 3 17->27         started        29 RegAsm.exe 17->29         started        76 netccwomo.duckdns.org 185.140.53.63, 49713, 9090 DAVID_CRAIGGG Sweden 20->76 72 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 20->72 dropped 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->80 file8 signatures9 process10 signatures11 94 Maps a DLL or memory area into another process 24->94 31 clhXdk3J5h.exe 24->31         started        34 RegAsm.exe 2 24->34         started        36 RegAsm.exe 24->36         started        process12 signatures13 104 Maps a DLL or memory area into another process 31->104 38 clhXdk3J5h.exe 31->38         started        41 RegAsm.exe 31->41         started        43 RegAsm.exe 31->43         started        process14 signatures15 90 Maps a DLL or memory area into another process 38->90 45 clhXdk3J5h.exe 38->45         started        48 RegAsm.exe 38->48         started        50 RegAsm.exe 38->50         started        52 2 other processes 38->52 process16 signatures17 96 Maps a DLL or memory area into another process 45->96 54 clhXdk3J5h.exe 45->54         started        57 RegAsm.exe 45->57         started        59 RegAsm.exe 45->59         started        process18 signatures19 92 Maps a DLL or memory area into another process 54->92 61 clhXdk3J5h.exe 54->61         started        64 RegAsm.exe 54->64         started        66 RegAsm.exe 54->66         started        68 2 other processes 54->68 process20 signatures21 98 Maps a DLL or memory area into another process 61->98 70 RegAsm.exe 61->70         started        process22
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/777fba538036151ad62b324ca054357052c7e2bdbc6105c304cbd05cd61ee67f/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-07-15 10:40:03 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o573uu4agykrvvrlgjgkavbvobjmpyv5xrqqlqyezpifzvq64z7q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd
NanoCore
232978acd2c38c2155e36f23e7cccf3747ff87a78997ff0abcad0c2d8864cfbf
NanoCore
6aa3059db34fb36662907183cf3780aac4b4c00e663f261a59aeebc00c03a5c0
NanoCore
7926f37cb45c730b9fa347b9e605d1b8e6a055b97f335bf8f1ea99e953fc94da
NanoCore
a259ab9f2ce1c874205cd31ac2f4ff924955caf2a81396b400dceb2438ff8921
NanoCore
b06c86dae636716a828d1dcc1e56ff8d6152fedba019b8da0ba0faa45aaebbd6
NanoCore
b8dbe674fabd57154010f3bf9d145109c4572f013f07f5be9afeb011b3e583c4
NanoCore
c584bd401bfecf5f40656ed9af67d2b136413d4d5180aa8b065b375ea6a8eab0
NanoCore
d451e3e7766abda3a6406d3e52ed8d123daa52409bb7905a44694855fa923888
NanoCore
e607a54592bc86fd86e26145cba601bf2dc2e94ad19bcb0a14f09398468c8265
NanoCore
+ 1'313 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200716-ke2zxey222/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
NanoCore
Malware Config
C2 Extraction:
netccwomo.duckdns.org:9090
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27045/

Comments