MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dc6752dd96670e64e948fc193015555f6fb75e2c3329342e02d986692d5e66f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dc6752dd96670e64e948fc193015555f6fb75e2c3329342e02d986692d5e66f
SHA3-384 hash: 9f3fbe2f62df8ad110f99e64f49c18df620267daa1edd4367dd0eb099767f00c028ea4a725c9b18b207ec953bb3f05d6
SHA1 hash: fa1313983648e97e0851adaa2c4cff3675647710
MD5 hash: 8b04c620c9e78fe44f129950681aceb4
humanhash: colorado-apart-robert-yellow
File name:8b04c620c9e78fe44f129950681aceb4.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:815'616 bytes
First seen:2020-07-25 07:26:54 UTC
Last seen:2020-08-02 07:33:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:RBZBSkMLF6xhB+HyaeW67yNseSwEFvxRU13VQO85dQ+2Z:RBZ8kMLIB+Hxu7esnpRU13Vz8cZ
Threatray 1'258 similar samples on MalwareBazaar
TLSH A6056A44A3D80708F0BE7E367875D9B50976BCD6AD76E61D09C52C8B3C32B80D962F26
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
NanoCore RAT C2s:
185.244.30.251:5600
79.134.225.12:5600

Hosted on nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-HU
country: HU
descr: Budapest, Hungary
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-07-17T11:52:57Z
source: RIPE


% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
3
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Agenttesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32326/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WOX.2120.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun with Startup directory
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/397847
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 251104 Sample: TzFNXAOpCd.exe Startdate: 25/07/2020 Architecture: WINDOWS Score: 100 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for dropped file 2->76 78 7 other signatures 2->78 12 TzFNXAOpCd.exe 2 2->12         started        16 wpasv.exe 2 2->16         started        process3 file4 66 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 12->66 dropped 92 Drops PE files to the startup folder 12->92 94 Maps a DLL or memory area into another process 12->94 18 TzFNXAOpCd.exe 1 12->18         started        21 RegAsm.exe 1 8 12->21         started        25 conhost.exe 16->25         started        signatures5 process6 dnsIp7 80 Maps a DLL or memory area into another process 18->80 27 TzFNXAOpCd.exe 1 18->27         started        30 RegAsm.exe 3 18->30         started        32 RegAsm.exe 18->32         started        68 185.244.30.251, 5600 DAVID_CRAIGGG Netherlands 21->68 70 79.134.225.12, 49739, 49740, 49741 FINK-TELECOM-SERVICESCH Switzerland 21->70 62 C:\Users\user\AppData\Roaming\...\run.dat, data 21->62 dropped 64 C:\Program Files (x86)\...\wpasv.exe, PE32 21->64 dropped 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->82 file8 signatures9 process10 signatures11 90 Maps a DLL or memory area into another process 27->90 34 TzFNXAOpCd.exe 27->34         started        37 RegAsm.exe 2 27->37         started        39 RegAsm.exe 27->39         started        process12 signatures13 84 Maps a DLL or memory area into another process 34->84 41 TzFNXAOpCd.exe 34->41         started        44 RegAsm.exe 34->44         started        process14 signatures15 88 Maps a DLL or memory area into another process 41->88 46 TzFNXAOpCd.exe 41->46         started        49 RegAsm.exe 41->49         started        51 RegAsm.exe 41->51         started        process16 signatures17 96 Maps a DLL or memory area into another process 46->96 53 TzFNXAOpCd.exe 46->53         started        56 RegAsm.exe 46->56         started        process18 signatures19 86 Maps a DLL or memory area into another process 53->86 58 RegAsm.exe 53->58         started        60 TzFNXAOpCd.exe 53->60         started        process20
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9dc6752dd96670e64e948fc193015555f6fb75e2c3329342e02d986692d5e66f/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-25 07:28:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=txdhklozmzyomtuur7azgakvkx3pw5pcymzjgqxafwmgnewv4zxq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
3cb221973d52d12fc900f37496a9c5f77b30da63886a0f7d54111982c00e872b
NanoCore
3f9b2ff85d8fdeb4795e6cbee63e908cba9d205e835465ae80025a4d0d136c04
NanoCore
582ec0985f0066dab40c455d1f8e6c414d9d5d0c156f673c6327efb901d97542
NanoCore
62a7f441ba21aaa568fe700029fa32d6dd7eeb2ed0a7f7259a680f2aae65ee31
NanoCore
7528449cf7a3a8d1b8d56a5207cbcff5c2afe95aa6f4258acfa858a28bd370f5
NanoCore
830ebbba209b2d1403ad73d769b387ab9ee0d89f22a56aecdaf306e4d5e0e439
NanoCore
8ee9784e9c874e7b40e667115655e0965420c5233238ca1499cdd7c25c79dc6c
NanoCore
a30dd99039152a76aacb5607d79b400098d9cd24350c0121fe4f7811177c0dbc
NanoCore
ccf661061226a4fe358b46c6fab8a29686323e41aa50fe06c06963c9939a2669
NanoCore
d43cf8e5ba941f74e342991981490516814e671fb06595ca8fb0b6770e083b84
NanoCore
+ 1'248 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
persistence evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200725-8snlfk6s3j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
NanoCore
Malware Config
C2 Extraction:
185.244.30.251:5600
79.134.225.12:5600
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9dc6752dd96670e64e948fc193015555f6fb75e2c3329342e02d986692d5e66f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 9dc6752dd96670e64e948fc193015555f6fb75e2c3329342e02d986692d5e66f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/418735/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/32326/

Comments