MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9df9ae7c7105190f492e203637fb147ff92d8d197a42d215408a4ede9b8be1ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9df9ae7c7105190f492e203637fb147ff92d8d197a42d215408a4ede9b8be1ce
SHA3-384 hash: 2ea6f0d2770ed5e08fbd7320b9c8ceddb55c12ae8cdca413fcb41702ff24883569e803839890d7525bef9532d8374cfb
SHA1 hash: 503eebc00949df200a51e5abebeb0866e5b2d223
MD5 hash: 35031322209b28c32bb19db1e55b0bd3
humanhash: steak-summer-salami-ink
File name:ĐIỆN SWIFT MT103.bat
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'083'392 bytes
First seen:2020-12-23 07:43:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:TiJm0jMonzKs5jPl66Iht2JlIzDyIqQOKL3dIIUAJyfwrIoNuV8npDrwJug:Tifhzwlzjq1pAnrvNo8npQU
Threatray 1'684 similar samples on MalwareBazaar
TLSH 4F355C3129FE60E7F1736B398ACA255A8F69BF323623D51E14B032E50732F81DD51929
Reporter abuse_ch
Tags:bat NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: asamco-sa.com
Sending IP: 212.83.46.26
From: Pham Van Duc <info@asamco-sa.com>
Subject: Outstanding Payments
Attachment: ĐIỆN SWIFT MT103.zip (contains "ĐIỆN SWIFT MT103.bat")

NanoCore RAT C2:
msaqibafrozo.duckdns.org:20110 (185.244.30.90)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-HU
country: HU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-10-07T21:39:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
536
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ĐIỆN SWIFT MT103.bat
Verdict:
Suspicious activity
Analysis date:
2020-12-23 07:47:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1a2dddc6-e8ed-4b2f-800d-281d8d96a7bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/109138/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/568974
Signature
.NET source code contains very large strings
Binary contains a suspicious time stamp
Detected Nanocore Rat
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9df9ae7c7105190f492e203637fb147ff92d8d197a42d215408a4ede9b8be1ce/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-23 02:31:20 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tx4247draumq6sjoea3dp6yup74s3dizpjbnefkarjhn5g4l4hha._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
06c8996db7925f8eba3f2e8c64b7b80a5d7a896733c9bd479336ed0cd13d19df
NanoCore
3459d3a07659440f0e31b4b59a53a6ed78914d64a467cab3dcd05de1555c1488
NanoCore
56e710ea1f70626aee844269cb7197e2142908b70082908436a77e1ee4d9fce7
NanoCore
a032cd20c067b83f1cab391af7671f7ae669de96dbf995f08580b14d218aeccc
NanoCore
a3e67bd9483ff44e19489be13809806f228aa8063d701f2344eed25c9c3cd5db
NanoCore
a4ac924b325bb34665d5d8ac09f895c0ac3ecbd504f00a02d2489529caa130dc
NanoCore
b3cc4d8429cfa934b85dd933dd9848adce458907bf5e3bab5e99e8a83c1966d4
NanoCore
b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4
NanoCore
b87399c6d528ab7bf017ea2c0d5a1b8d6eb5eb98c1837af426b4beff34372c01
NanoCore
b8ddba51be188310218fd595f1053023789453dcc894b1a9a61d1d0494dee15d
NanoCore
+ 1'674 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201223-jm1f27qd62/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
7e3d95f91f71b725729c545003b19e9f9a44b61b433e65a7c57958cb393bc1c0
MD5 hash:
5907db3110f905f1389b37031dbb07a7
SHA1 hash:
8551751c373397e570dd472fc048203589f68cf3
Link:
https://www.unpac.me/results/a589c661-a582-495d-8541-ab9aa5c6702c/
SH256 hash:
51b11613df0a8a93c9bf286ff3696c32f50b7763d78425815afaf1d8564fa186
MD5 hash:
6ecc999b80aac33f4255cd30134483ee
SHA1 hash:
86e68ae281efd6741d89eb30388040bb9e68034b
Link:
https://www.unpac.me/results/a589c661-a582-495d-8541-ab9aa5c6702c/
SH256 hash:
f01e0f367495c9e173c14bf1dd3150dba04806d3d38a177cad318db03e81ccfb
MD5 hash:
ca6152cccdff4ce7e3e8e642feda71a9
SHA1 hash:
d2c7c7048c6bfe02ea17255010d2fc72a7d07529
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/a589c661-a582-495d-8541-ab9aa5c6702c/
Parent samples :
3a07dbe6d6a87a8dd57471a9f22d5aedf60e4743bdd28ed0409a3239f79804a5
a3e67bd9483ff44e19489be13809806f228aa8063d701f2344eed25c9c3cd5db
9df9ae7c7105190f492e203637fb147ff92d8d197a42d215408a4ede9b8be1ce
SH256 hash:
870e149d7f965298c0302a8665eabcf8161067c46f623e9d5783d35e25c86a79
MD5 hash:
adc4423cf51d2cc1bcfeb3c115a20629
SHA1 hash:
f514213a0c2adc3d80536791ba90f71c16b8549d
Link:
https://www.unpac.me/results/a589c661-a582-495d-8541-ab9aa5c6702c/
SH256 hash:
9df9ae7c7105190f492e203637fb147ff92d8d197a42d215408a4ede9b8be1ce
MD5 hash:
35031322209b28c32bb19db1e55b0bd3
SHA1 hash:
503eebc00949df200a51e5abebeb0866e5b2d223
Link:
https://www.unpac.me/results/a589c661-a582-495d-8541-ab9aa5c6702c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9df9ae7c7105190f492e203637fb147ff92d8d197a42d215408a4ede9b8be1ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 83d8be01101f46805783a46779747ce1b95da6ebf9140d8fff5acaf434bc23f0

NanoCore

Executable exe 9df9ae7c7105190f492e203637fb147ff92d8d197a42d215408a4ede9b8be1ce

(this sample)

  
Dropped by
MD5 a4c3bad236ad67b49be6823e2df181db
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 83d8be01101f46805783a46779747ce1b95da6ebf9140d8fff5acaf434bc23f0
Cape
Cape
https://www.capesandbox.com/analysis/109138/

Comments