MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8551c05301b50a17763637cca7f291a6b779c82f16275f734e793f6a0e7e1a17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	8551c05301b50a17763637cca7f291a6b779c82f16275f734e793f6a0e7e1a17
SHA3-384 hash:	280de7196ee2e83ed213a5b88942727177d1b6c8dc701d0cf460531ef42bc03c32ecfb28bdb92f60f6e5c7198f17d132
SHA1 hash:	636831413fb537f30dc7f961e606955d2493629d
MD5 hash:	f78c482e3e245d5c735d29d9b215e034
humanhash:	video-tango-don-carbon
File name:	Receipt.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'213'952 bytes
First seen:	2020-10-09 15:44:04 UTC
Last seen:	2020-10-09 17:16:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:vql8c6mXPyVyqq36uGz3OccXOAKUQJAai5PCwsGMktHw6QgWlVAuVgVMBP35lo2Y:Sl8c6nyqeVo3OZXvfQJAaqCb6
Threatray	1'116 similar samples on MalwareBazaar
TLSH	41455A9C3250B59EC597E8328F54DC74A7507C6A870BC213A0E33E9FBABC5979E141B2
Reporter	abuse_ch
Tags:	exe FedEx NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: mail.motonina.ml
Sending IP: 45.147.162.146
From: FedEx Express. <admin@motonina.ml>
Subject: Parcel pickup
Attachment: Receipt.img (contains "Receipt.exe")

NanoCore RAT C2:
u852117.nvpn.to:5638 (185.244.30.163)

Hosted on nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-HU
country: HU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-10-07T21:39:48Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

167

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69589/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Creating a process with a hidden window

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/486911

Signature

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected Nanocore Rat

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/8551c05301b50a17763637cca7f291a6b779c82f16275f734e793f6a0e7e1a17/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-09 12:30:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qvi4auybwufbo5rwg7gkp4uru23xtsbpcytv642ope7wudt6dilq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

080a6fbf91637b683b6f363092f9b7d6e75b8442c6f9df32ffea0788e16fafdf

NanoCore

09b6cbc23d3570aa16eb80e836e9a006e9e5f45d6d944e92d00421ab87962b76

NanoCore

266fb950b47e675141744de2c8e756706d50eeab5092d2dda233cb2ed0c2fb9c

NanoCore

619a5e8a0ade93b187c7f438bcb7c5bb15a33da3148176513a2c0010c7960cd4

NanoCore

6839dfb2bf232ccc68bdb4e275ffc1a2e8eb4c672071b706cd3e7a77c85cd4e3

NanoCore

7cdf1294eb40f2a207f55cbb1a68761135500f64bb077a7f4ba9a7d3098850f1

NanoCore

b4a60a5fdddebf1351aa77b5ae1b850c8f53312cbe7e3792a0adbd3a458c70ba

NanoCore

d8ad1152e4f637d74f26843242b113b17d305d71a9b1c1aa6005ab599371cc8b

NanoCore

ddf157853be3dbebba9eea0db9815017a0c7d8dded210a5c291d7b0ccd2fd2be

NanoCore

+ 1'106 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

keylogger trojan stealer spyware family:nanocore

Link:

https://tria.ge/reports/201009-gkva1wm43n/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

NanoCore

Malware Config

C2 Extraction:

u852117.nvpn.to:5638

Unpacked files

SH256 hash:

8551c05301b50a17763637cca7f291a6b779c82f16275f734e793f6a0e7e1a17

MD5 hash:

f78c482e3e245d5c735d29d9b215e034

SHA1 hash:

636831413fb537f30dc7f961e606955d2493629d

Link:

https://www.unpac.me/results/232251f7-32c2-48c7-89e1-6ee41326f4ad/

SH256 hash:

607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b

MD5 hash:

a90baadadf904455325f7bc787185c7b

SHA1 hash:

7d833bb819d638008c98be469b05db2feaf201cd

Link:

https://www.unpac.me/results/232251f7-32c2-48c7-89e1-6ee41326f4ad/

SH256 hash:

4cbfc95cf8b0d6dc532f0a297d92ba5d3e3702ef2875a2998e3cef3617b03682

MD5 hash:

b315f1f51c28d7ec656c1b8578cb787b

SHA1 hash:

81f433e01a141eb998dbec663999098bd4490ba4

Link:

https://www.unpac.me/results/232251f7-32c2-48c7-89e1-6ee41326f4ad/

SH256 hash:

2682ab3fbe024e7c4a76a61ac03f6d8f49f1628124056bc82f2a001ccc93a147

MD5 hash:

13ef721172488706899f5004791322f5

SHA1 hash:

97860fe24817563d0ed443cb3aeaf1f2bba827e8

Detections:

win_nanocore_w0

Link:

https://www.unpac.me/results/232251f7-32c2-48c7-89e1-6ee41326f4ad/

Parent samples :

8551c05301b50a17763637cca7f291a6b779c82f16275f734e793f6a0e7e1a17
b20265f6aaff86503f7be16f8b9215763a9bd166135e506191e4212afbfca4ed

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Nanocore

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8551c05301b50a17763637cca7f291a6b779c82f16275f734e793f6a0e7e1a17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/