MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a2cd283e2f30e88cea6a791a533760e6955b35ffa322e48f2feb6743f705220. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	7a2cd283e2f30e88cea6a791a533760e6955b35ffa322e48f2feb6743f705220
SHA3-384 hash:	519b3ec49155628d05930ee8bfacaf824acbd0c4079cbe7337627ea0886ed41e80d10c2cf82cf3024abcecba2e7aff57
SHA1 hash:	0b5d98f5a6904e1a9dc1ac906baff36d0d37060d
MD5 hash:	6ffbaf75628eaf725ed231dcac783ef3
humanhash:	mockingbird-pizza-low-whiskey
File name:	PO 77390029.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	741'376 bytes
First seen:	2020-10-09 06:35:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:usw9+TjLOryMAvi80AWd3yGN8vqvfJvkMnkT1i560nqVIwUWuQclOC:usw9+T/O2bi81WdiqdvfpkMnkI560ngc
Threatray	1'360 similar samples on MalwareBazaar
TLSH	4EF4E12273A86F85F27E677845301200A7F5B927E732E39D7DA900DE09A2F85D363752
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: tonyhai
Sending IP: 117.121.213.232
From: Kanchana Shetty <dha@technogroupllc.com>
Subject: New Purchase Order
Attachment: PO 77390029.gz (contains "PO 77390029.exe")

NanoCore RAT C2:
79.134.225.91:1985

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/69463/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Creating a file in the %AppData% subdirectories

Creating a file in the Program Files subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending a TCP request to an infection source

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Threat name:

Nanocore AgentTesla MailPassView

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/486397

Signature

Allocates memory in foreign processes

Detected Nanocore Rat

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM_3

Yara detected MailPassView

Yara detected Nanocore RAT

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/7a2cd283e2f30e88cea6a791a533760e6955b35ffa322e48f2feb6743f705220/

Threat name:

ByteCode-MSIL.Backdoor.NanoBot

Status:

Malicious

First seen:

2020-10-09 01:18:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=piwnfa7c6mhirtvgu6i2km3wbzuvlm277izc4shs723hip3qkiqa._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

3e0a5536a96d3ea0b97b034c193bcb933f2dd8dfc8e159915951ab3842630b20

NanoCore

48f69c4f0432c9552fff3e4bd5274751ecd529365ccee42c7a3b5f3bbc83ffe5

NanoCore

522eeb43150a93e0dd1308403baf27e10ca4042330e6405e87913683f3f6a67a

NanoCore

6c683dafa36114d562c985059802ad2fa0ec2df2f136e88e6f08cc7e88d919fc

NanoCore

816581131b3f726da0cfef239111730e74f04e9015df6a519b92a7e0d6e2cd6a

NanoCore

9f335bab72c02acf039bc0366145e832630347a1d141dd1ae768637e52a1a7ce

NanoCore

be1a45ae85bb530727a5e96d3dc19eeb0542991ddb5a747b93665b4599c70ea0

NanoCore

dd02cb85d94d9d687d5de330f198abd8f1a84720947c03dfad880526830986f3

NanoCore

fea260d8c97eb6ae4079fb37951566b9f2ec8f785688a3ff63bc7833b6cebdf0

NanoCore

+ 1'350 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

persistence spyware keylogger trojan stealer family:nanocore

Link:

https://tria.ge/reports/201009-9rlqsxn3h6/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of web browsers

Uses the VBS compiler for execution

NanoCore

Malware Config

C2 Extraction:

79.134.225.91:1985
127.0.0.1:1985

Unpacked files

SH256 hash:

7a2cd283e2f30e88cea6a791a533760e6955b35ffa322e48f2feb6743f705220

MD5 hash:

6ffbaf75628eaf725ed231dcac783ef3

SHA1 hash:

0b5d98f5a6904e1a9dc1ac906baff36d0d37060d

Link:

https://www.unpac.me/results/1524bfc3-015f-4632-bc64-903dd899a013/

SH256 hash:

d3756a6c8a6e2124a4c0c4d80a6d3eb8f70b4d950c865834210283f519f71ce4

MD5 hash:

053addded5da364e2b2d72b4b17eb19b

SHA1 hash:

09566362b686867f10c3bd5c6b9a4e7ea793811a

Link:

https://www.unpac.me/results/1524bfc3-015f-4632-bc64-903dd899a013/

SH256 hash:

13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43

MD5 hash:

109cedae3c384a1913107f1efad2b7c8

SHA1 hash:

1f7f35b0ed85fa12bb839cbce698e59a30813420

Link:

https://www.unpac.me/results/1524bfc3-015f-4632-bc64-903dd899a013/

SH256 hash:

59411090dac658627420de26e5942a88104ccd6ba4040a616180cdae4972c920

MD5 hash:

36e1004f6987da149d9ef4ee5e17e948

SHA1 hash:

7e2132e1883479ba88c2eae9ad42d934e47bbb04

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/1524bfc3-015f-4632-bc64-903dd899a013/

Parent samples :

7a2cd283e2f30e88cea6a791a533760e6955b35ffa322e48f2feb6743f705220
d70835ecd6d10077f045758873ddd66acbeac8a035de36e41d049ae0d255d108
eb5ca0f288a62e50350df6dd80c6d4e8a17122fc524ccee76e5bd97853dbd27b

SH256 hash:

2804009902619fd8c0fa8bd271a3ff04007fd7932aada20985e80a7bcb10c1db

MD5 hash:

f033dbe2f9be1b697700b1d59618f3ec

SHA1 hash:

c1fc99534d7f3ddec7e78b299770c30f3135ca77

Link:

https://www.unpac.me/results/1524bfc3-015f-4632-bc64-903dd899a013/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7a2cd283e2f30e88cea6a791a533760e6955b35ffa322e48f2feb6743f705220

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/