MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9eb1cd61e77d7133bd5252c9c7574d4171ba60c856dbedd15754c5b0e3c827b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	9eb1cd61e77d7133bd5252c9c7574d4171ba60c856dbedd15754c5b0e3c827b4
SHA3-384 hash:	2b701d3772ba744d8dbfbe38c597eff7e77281f9430163332aa39de72469a64f8e6fd5747e4c57c72d8e81393dfc0a2e
SHA1 hash:	c9028f427d3bfd2efe4b08989ea73be739a6d290
MD5 hash:	76a8f2eb76dce33384b6eae299b861cd
humanhash:	hawaii-uranus-spring-solar
File name:	STMPO3683HK.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	732'160 bytes
First seen:	2020-07-08 06:56:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	927c37aff1985dca3a480112dcc5320c (11 x AgentTesla, 5 x NanoCore, 3 x Loki)
ssdeep	12288:PXjgbnMmIKCXsLIN4KKD6fpkR+ypsKtvP1QZTQC+ILopSxzb/lPkULuT9FaqCsA3:vkb4uLgpfpkZqN5GXAauek
Threatray	3'190 similar samples on MalwareBazaar
TLSH	A1F4AF22F7A14833D16316799C1B57B8983ABE103D3479862BE55C4C9F39382397AF93
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: cloud.spring.net.in
Sending IP: 103.127.29.248
From: Maria Sohail <acct1@vinflair.com>
Subject: Re: Outstaning Statement
Attachment: STMPO3683HK.pdf.zip (contains "STMPO3683HK.exe")

NanoCore RAT C2:
darlingtondc.hopto.org:1905 (185.165.153.17)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/22894/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file in the %AppData% subdirectories

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/9eb1cd61e77d7133bd5252c9c7574d4171ba60c856dbedd15754c5b0e3c827b4/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-08 06:58:07 UTC

AV detection:

42 of 48 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=t2y42yphpvythpkskle4ov2nify3uygik3n63ukxktc3by6ie62a._file

Verdict:

malicious

Label(s):

nanocorerat

hawkeyekeylogger

NanoCore

4dd90f817154b87c0269aabb51365dfa4c57896449642d178ad19891e52b5aff

NanoCore

70706e21df2777c92d5a20bf792b88d3152b05fab743d881b3a3311291da6f62

NanoCore

8e7d8dc49220d4ac88858ec8401d0d2b2a0c21d7b8e301c68de51e8a99238363

NanoCore

8eb3933e2012364a81fa9f1003c485c03c6cafd61eefaf1b4059cc8d4a4066a7

NanoCore

c24f35c4f744e2ab5aaa0c950506bc3c9753507848d9094a3359da507a96b861

NanoCore

c75fa16118d5d921d598bd9ff539426dcfd7aece03815e5be6414763ba72bda6

NanoCore

de77f2b2fe58ab75b2a6876cc9883d59330766559847223284d764b74d88df12

NanoCore

e83175d7d56084e7dde32b39f8d113f91ee1834890222dde4f987236a88b4165

NanoCore

ea9d8c28e623cbabc1407aa3da7a681adb93ef3e758fe31aaf664ff3998cddb5

NanoCore

+ 3'180 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200708-7h4tcpf6dx/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetThreadContext

Checks whether UAC is enabled

UPX packed file

NanoCore

Malware Config

C2 Extraction:

darlingtondc.hopto.org:1905
185.165.153.17:1905

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/