MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dfd68770a471f5991cb5b91816584e1c8e6c764bd4d8655c2d752099c5ad057. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dfd68770a471f5991cb5b91816584e1c8e6c764bd4d8655c2d752099c5ad057
SHA3-384 hash: 235e172c6f4d6cd6036aceca8227204fe552cb6617dc308d94e2bf8c91d2ae3a1e7b7c26786757b1ce6eea5a018f4bf6
SHA1 hash: 02168a57d033194cf740a35d1958445f40da49c2
MD5 hash: 9861f0048c48f842aa5a62d5a1f67201
humanhash: mountain-bakerloo-pennsylvania-avocado
File name:Doc_72020_437.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:649'216 bytes
First seen:2020-07-20 09:08:51 UTC
Last seen:2020-07-20 10:39:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 18cb1753a10ac437b1e45b0361d426a6 (5 x AgentTesla, 3 x MassLogger, 3 x NanoCore)
ssdeep 12288:aRkDC2ugt0FPWW049gyUeGTOiCERxU7TzHjD+E+no9/UHF5tezOkJreGk:aSGE0FpCqi/Uv7XynI/UlOzOj
Threatray 3'130 similar samples on MalwareBazaar
TLSH 52D4BF66F2A08833C1633A7B9C5B57B4683ABF9C3D2859432BE85CCC5F397423559293
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: diabos.biz
Sending IP: 45.143.222.165
From: George Drumitrascu <office@dacorom.ro>
Subject: Re: New RFQ
Attachment: Doc_72020_437.pdf.zip (contains "Doc_72020_437.exe")

NanoCore RAT C2:
wazzy.ddns.net:1716 (79.134.225.75)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28856/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.10219.20314.UNOFFICIAL
Create hunting rule

Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391174
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247947 Sample: Doc_72020_437.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 102 Multi AV Scanner detection for domain / URL 2->102 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 15 other signatures 2->108 11 Doc_72020_437.exe 2->11         started        14 Doc_72020_437.exe 2->14         started        16 wpasv.exe 2->16         started        18 wpasv.exe 2->18         started        process3 signatures4 118 Detected unpacking (changes PE section rights) 11->118 120 Detected unpacking (creates a PE file in dynamic memory) 11->120 122 Detected unpacking (overwrites its own PE header) 11->122 124 Contains functionality to detect sleep reduction / modifications 11->124 20 Doc_72020_437.exe 1 14 11->20         started        25 Doc_72020_437.exe 11->25         started        126 Maps a DLL or memory area into another process 14->126 27 Doc_72020_437.exe 14->27         started        29 Doc_72020_437.exe 3 14->29         started        31 wpasv.exe 16->31         started        33 wpasv.exe 2 16->33         started        35 wpasv.exe 18->35         started        37 wpasv.exe 3 18->37         started        process5 dnsIp6 98 wazzy.ddns.net 105.112.102.244, 1716 VNL1-ASNG Nigeria 20->98 100 79.134.225.75, 1716, 49723, 49724 FINK-TELECOM-SERVICESCH Switzerland 20->100 88 C:\Program Files (x86)\...\wpasv.exe, PE32 20->88 dropped 90 C:\Users\user\AppData\Roaming\...\run.dat, data 20->90 dropped 92 C:\Users\user\AppData\Local\...\tmpA956.tmp, XML 20->92 dropped 94 C:\...\wpasv.exe:Zone.Identifier, ASCII 20->94 dropped 116 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->116 39 schtasks.exe 1 20->39         started        41 schtasks.exe 1 20->41         started        43 Doc_72020_437.exe 27->43         started        96 C:\Users\user\...\Doc_72020_437.exe.log, ASCII 29->96 dropped 46 wpasv.exe 31->46         started        48 wpasv.exe 35->48         started        file7 signatures8 process9 signatures10 50 conhost.exe 39->50         started        52 conhost.exe 41->52         started        128 Maps a DLL or memory area into another process 43->128 54 Doc_72020_437.exe 43->54         started        56 Doc_72020_437.exe 43->56         started        130 Sample uses process hollowing technique 46->130 58 wpasv.exe 46->58         started        60 wpasv.exe 46->60         started        62 wpasv.exe 48->62         started        64 wpasv.exe 48->64         started        process11 process12 66 Doc_72020_437.exe 54->66         started        69 wpasv.exe 58->69         started        71 wpasv.exe 62->71         started        signatures13 110 Maps a DLL or memory area into another process 66->110 73 Doc_72020_437.exe 66->73         started        75 Doc_72020_437.exe 66->75         started        77 wpasv.exe 69->77         started        79 wpasv.exe 69->79         started        81 wpasv.exe 71->81         started        83 wpasv.exe 71->83         started        process14 process15 85 Doc_72020_437.exe 73->85         started        signatures16 112 Maps a DLL or memory area into another process 85->112 114 Sample uses process hollowing technique 85->114
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7dfd68770a471f5991cb5b91816584e1c8e6c764bd4d8655c2d752099c5ad057/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 09:10:09 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=px6wq5yki4pvteolloiyczme4heonr3exvgymvoc25jathc22blq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
5845f8c6a360994b9315ad2e8abbb041a55f4653b6dfc704730202e8c8caf692
NanoCore
59f912d2e25dd9c7ad3414a2a5fefaee8153f0d20cd89ccd96618e8f367facc4
NanoCore
72226e94b46283845dadd5cd465bdd84240bc2eab9728cddaed267401e78c23f
NanoCore
8761e86d2b6e3bc0c2023f403aaa64994f7a7c53ec0d0308948e67defb75bcc7
NanoCore
97bb08ab5ab612641d3744f726c9369b7cd5ddeaf4b6ddaab9ee8f3d2ee66013
NanoCore
a337bd46dfdc25f5d50ea783b87c7a38e5ef7b6bfd031662c1d857e593869e19
NanoCore
b82d04c79bfd870dd7024db85a5c3c60827776af6bfd6b73306ceebf72150ba4
NanoCore
badaa42576167c5144d69e80a99203a44642e5bab069e197dbff57a8b05c1474
NanoCore
e257a0a26f932ddedd2134e0a56eadc8c19d03049c7c6d9b7d3ca93720106b91
NanoCore
f1dce00c5aa4c6e5023465e1909245114db371694b703c291bdd29de9e7806a8
NanoCore
+ 3'120 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx persistence evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200720-1c29h6cvh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
UPX packed file
NanoCore
Malware Config
C2 Extraction:
wazzy.ddns.net:1716
79.134.225.75:1716
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7dfd68770a471f5991cb5b91816584e1c8e6c764bd4d8655c2d752099c5ad057

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip a078bd532d3dd20f47104f8b8a24cb6fc5b007f0373a117e6108c5e5b8e18aa1

NanoCore

Executable exe 7dfd68770a471f5991cb5b91816584e1c8e6c764bd4d8655c2d752099c5ad057

(this sample)

  
Dropped by
MD5 f322948147e5f21d79405b76e089d8f8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28856/
  
Dropped by
SHA256 a078bd532d3dd20f47104f8b8a24cb6fc5b007f0373a117e6108c5e5b8e18aa1

Comments