MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 838d8a1b9095168c1c0c24449b62ab0c9eece8211381e59c5f1b8889d1c618af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 838d8a1b9095168c1c0c24449b62ab0c9eece8211381e59c5f1b8889d1c618af
SHA3-384 hash: d4b13053bf47a91b157e56e5fea0a2db7fb0593fa9e16212a858190fb29f56a1b88077a6a6885d73576ccc2eb0440046
SHA1 hash: ff654c042ee0978d246adb90a5a19dd3768b04b2
MD5 hash: c68f8e6fc0a078ff350ab3e61532030e
humanhash: ack-cup-friend-uncle
File name:DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.scr
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'172'480 bytes
First seen:2020-12-18 09:24:01 UTC
Last seen:2020-12-18 10:50:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:vd4nd+PPKSCAsQN8NNiPtoysFRmnkqkQEcb:l44PK8sqGF8I3c
Threatray 1'405 similar samples on MalwareBazaar
TLSH 6445BF342AE9561DF177EF7946E839869BEFF6337707D40D2891038A0A13E40DE9163A
Reporter abuse_ch
Tags:NanoCore scr


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: host.usabestserver.com
Sending IP: 162.214.72.205
From: sales_vic@charmedleather.com
Subject: QUOTATION REQUEST
Attachment: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.uu (contains "DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.scr")

NanoCore RAT C2:
viceka.duckdns.org (104.243.250.194)

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.scr
Verdict:
Malicious activity
Analysis date:
2020-12-18 09:36:10 UTC
Tags:
rat nanocore
Link:
https://app.any.run/tasks/e3a68bf7-8d3c-4ae7-b3a8-feb27fdb86d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108356/
Detection(s):
SecuriteInfo.com.Variant.Bulz.272152.30571.17255.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Gathering data
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566175
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 332172 Sample: DECEMBER QUOTATION REQUEST ... Startdate: 18/12/2020 Architecture: WINDOWS Score: 100 37 viceka.duckdns.org 2->37 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 13 other signatures 2->51 8 DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe 18 2->8         started        12 dhcpmon.exe 4 2->12         started        signatures3 process4 file5 25 C:\Users\user\AppData\...hHGCBWlFX.exe, PE32 8->25 dropped 27 C:\Users\...hHGCBWlFX.exe:Zone.Identifier, ASCII 8->27 dropped 29 C:\Users\user\AppData\Local\...\tmp9253.tmp, XML 8->29 dropped 31 DECEMBER QUOTATION...0000143_ETQ.exe.log, ASCII 8->31 dropped 53 Writes to foreign memory regions 8->53 55 Allocates memory in foreign processes 8->55 57 Injects a PE file into a foreign processes 8->57 14 RegSvcs.exe 1 10 8->14         started        19 schtasks.exe 1 8->19         started        21 conhost.exe 12->21         started        signatures6 process7 dnsIp8 39 viceka.duckdns.org 193.109.78.38, 49732, 49735, 49737 SUPERSERVERSDATACENTERRU Russian Federation 14->39 41 127.0.0.1 unknown unknown 14->41 33 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 14->33 dropped 35 C:\Program Files (x86)\...\dhcpmon.exe, PE32 14->35 dropped 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->43 23 conhost.exe 19->23         started        file9 signatures10 process11
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/838d8a1b9095168c1c0c24449b62ab0c9eece8211381e59c5f1b8889d1c618af/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-18 09:24:08 UTC
AV detection:
13 of 48 (27.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qogyug4qsuliyhamercjwyvlbspoz2bbcoa6lhc7doeituogdcxq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
04bcddc35061986dee833490729276175e4d955ca543d9faeab418033887aed7
NanoCore
5106eff2035cae4bc844f175750857ecffe095b70f7872ddd212bedce7776e80
NanoCore
52bd5d7b847a16014d4efe0fae302a258e7fdae3c3fac133af3c2fc4a82a1004
NanoCore
59f8ca1089708a345369b0abba85484f80b9adff6ac51c152be5110ef6d840d2
NanoCore
6b38ac5b7be8f62d0e7645cdd3553ac86a06ccbbd6de9865f5bdf00bf62822e6
NanoCore
adb1948d6b4d965ee35ea8107b1128a9075d3548b61a72cfb35d0893d1f4ffaf
NanoCore
b59de3e185784023c3bfa211f874ab50b74083e6d0a83174a8c42d74099429a4
NanoCore
d1824eae423ffc61d8e63c5e25aafd27696a3dff2b0e73a43764990199b9590b
NanoCore
d49621996ba7b43c8d7cb35403ccbb13c50f1a1dddc9492ce7a74abd8597a115
NanoCore
e13cf5e6ff234c9b17ea31450b207f160df74b4cd0361a50b1122352a1750390
NanoCore
+ 1'395 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201218-565d3z9n1s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
NanoCore
Malware Config
C2 Extraction:
viceka.duckdns.org:53285
127.0.0.1:53285
Unpacked files
SH256 hash:
838d8a1b9095168c1c0c24449b62ab0c9eece8211381e59c5f1b8889d1c618af
MD5 hash:
c68f8e6fc0a078ff350ab3e61532030e
SHA1 hash:
ff654c042ee0978d246adb90a5a19dd3768b04b2
Link:
https://www.unpac.me/results/f95039f9-a501-4f18-86f3-4abe63e8266d/
SH256 hash:
9149c46462a4147a8e831bae7981148640406e6b72c5514668df8a667a969bf2
MD5 hash:
892255223166b4a8b0550e6434d70831
SHA1 hash:
2386c22b7fe30f65e2dd959cacb3491932204e26
Link:
https://www.unpac.me/results/f95039f9-a501-4f18-86f3-4abe63e8266d/
SH256 hash:
55abf08a6a6ab7c7848a2bc0410d84befe6dcfa118336e2e4f1ee456a8009efc
MD5 hash:
6ce9761c3c3ae715d40a77b982d31dc9
SHA1 hash:
42a5a02eabe7d80d79408549e7686d4e44524361
Link:
https://www.unpac.me/results/f95039f9-a501-4f18-86f3-4abe63e8266d/
SH256 hash:
1b9068cf9c7537dc079c93a6cd203b37dcf367f311ee978fb7635b643444f508
MD5 hash:
f0b1374bab75a042dd14edc34ca76c0e
SHA1 hash:
9f30d5b0c3f7192202ac7283d1579ecdd3e5d5dd
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/f95039f9-a501-4f18-86f3-4abe63e8266d/
SH256 hash:
4aa9734fbc3c48f40bc3aa06331487e25cc68a6bd7d4b71d3ef055b9e04d2b9b
MD5 hash:
c1c2dc39cf238053b8cf592061342605
SHA1 hash:
dfb010311ad3028f7f21b7fa6870adaaad19dfe2
Link:
https://www.unpac.me/results/f95039f9-a501-4f18-86f3-4abe63e8266d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/838d8a1b9095168c1c0c24449b62ab0c9eece8211381e59c5f1b8889d1c618af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 6a26b1e4d38d49ffa58581d36d748e501967fcb7b1df1ee85a917b2c1f5a5348

NanoCore

Executable exe 838d8a1b9095168c1c0c24449b62ab0c9eece8211381e59c5f1b8889d1c618af

(this sample)

  
Dropped by
MD5 67b0704de0689f74a87751055c797b31
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6a26b1e4d38d49ffa58581d36d748e501967fcb7b1df1ee85a917b2c1f5a5348
Cape
Cape
https://www.capesandbox.com/analysis/108356/

Comments