MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a14f4263c002e77e88fa98957e19288e2076ad78d83c2247617f1a209d55a7a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a14f4263c002e77e88fa98957e19288e2076ad78d83c2247617f1a209d55a7a7
SHA3-384 hash: 0953b6f0f7a505d814214cd8b5eba7518656c22c59b3c7045f0c19b525f02d9b3e4e8647aa6860abc7648f1f3a6f9708
SHA1 hash: feebecb55f75128f2856736c0c59655e6b061a81
MD5 hash: f7c9346fa820bc04c46d8e205aabe392
humanhash: mountain-sad-alanine-vermont
File name:001038_72220.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:891'392 bytes
First seen:2020-07-22 06:35:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e01edf6e44755e0328837b108f7966d (7 x AgentTesla, 5 x Loki, 3 x NanoCore)
ssdeep 12288:0Q/ena6F83r+bPrsdB0L0gazjJsJNulttShwmAlrJ6b8HRuIbk/PB4s:3aaFabDs7btHlttqwmegQls4s
Threatray 3'253 similar samples on MalwareBazaar
TLSH 36159E76F2934833C563DA3C8C5BA678982AB9111A197A476BF40F4C9F3E64338352D7
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: yahoo.com
Sending IP: 45.143.222.165
From: (Jaems Baek) <james.baek@inseed.kr>
Subject: Re: PO-PS20-0254
Attachment: 001038_72220.pdf.zip (contains "001038_72220.exe")

NanoCore RAT C2s:
wazzy.ddns.net:1716 (105.112.102.244)
79.134.225.75:1716

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Nanocore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30761/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.11988.27959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394383
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249589 Sample: 001038_72220.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 95 wazzy.ddns.net 2->95 101 Multi AV Scanner detection for domain / URL 2->101 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 14 other signatures 2->107 11 001038_72220.exe 2->11         started        14 001038_72220.exe 2->14         started        16 wpasv.exe 2->16         started        18 wpasv.exe 2->18         started        signatures3 process4 signatures5 113 Detected unpacking (changes PE section rights) 11->113 115 Detected unpacking (creates a PE file in dynamic memory) 11->115 117 Detected unpacking (overwrites its own PE header) 11->117 119 Contains functionality to detect sleep reduction / modifications 11->119 20 001038_72220.exe 1 14 11->20         started        25 001038_72220.exe 11->25         started        121 Maps a DLL or memory area into another process 14->121 27 001038_72220.exe 14->27         started        29 001038_72220.exe 3 14->29         started        31 wpasv.exe 16->31         started        33 wpasv.exe 3 16->33         started        35 wpasv.exe 18->35         started        37 wpasv.exe 18->37         started        process6 dnsIp7 97 wazzy.ddns.net 105.112.102.244, 1716 VNL1-ASNG Nigeria 20->97 99 79.134.225.75, 1716, 49734, 49738 FINK-TELECOM-SERVICESCH Switzerland 20->99 85 C:\Program Files (x86)\...\wpasv.exe, PE32 20->85 dropped 87 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 20->87 dropped 89 C:\Users\user\AppData\Local\...\tmp6392.tmp, XML 20->89 dropped 91 C:\...\wpasv.exe:Zone.Identifier, ASCII 20->91 dropped 109 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->109 39 schtasks.exe 1 20->39         started        41 schtasks.exe 1 20->41         started        43 001038_72220.exe 27->43         started        93 C:\Users\user\...\001038_72220.exe.log, ASCII 29->93 dropped 46 wpasv.exe 31->46         started        48 wpasv.exe 35->48         started        file8 signatures9 process10 signatures11 50 conhost.exe 39->50         started        52 conhost.exe 41->52         started        54 001038_72220.exe 43->54         started        56 001038_72220.exe 43->56         started        123 Maps a DLL or memory area into another process 46->123 58 wpasv.exe 46->58         started        60 wpasv.exe 46->60         started        62 wpasv.exe 48->62         started        64 wpasv.exe 48->64         started        process12 process13 66 001038_72220.exe 50->66         started        68 001038_72220.exe 50->68         started        70 001038_72220.exe 54->70         started        73 wpasv.exe 58->73         started        75 wpasv.exe 62->75         started        signatures14 111 Maps a DLL or memory area into another process 73->111 77 wpasv.exe 73->77         started        79 wpasv.exe 73->79         started        81 wpasv.exe 75->81         started        83 wpasv.exe 75->83         started        process15
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a14f4263c002e77e88fa98957e19288e2076ad78d83c2247617f1a209d55a7a7/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 01:17:04 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ufhuey6aaltx5ch2tckx4gjiryqhnlly3a6cer3bp4ncbhkvu6tq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
02a3cf916211a06c79f7f785d925d76a6f0c1ea946c03c475048c1dc78d338ce
NanoCore
13401ed6c28248a7b90b62de52d902972a9c0b72e2e19aded928988e2c9c4503
NanoCore
35a94d699b3b76654146147d5049a618067f3c2081f0b90d28f2b0cb4baf9df1
NanoCore
8948e4e0f392197b1c1436e5f7a2a7bc326c849b6129d8cf287a6d6a03cd642e
NanoCore
a3f262fc5001f20e6d8fdf3bc436febffa5f4065eec8463bdd767efa2c3f445b
NanoCore
a7b022be326a3aa380e1bd55bde21fea8d7e0c59e037b7db2902c63b01bb6fda
NanoCore
a932257a2967d22fd7478319f19297485c631cd24990804be1e27752bc5549e5
NanoCore
ab986524b5bf9434296a01cba5f2c36ba731946e8e39b6ff362c3a7ce7483353
NanoCore
b4c84cf915c0f29a82c0fa8d9e7c7940338ebedf458ce7d4b187935bd5ba9e82
NanoCore
d371f4d1ca41860654d8b400e4162fc379c05c31778f5bb4cbb653766f5be3db
NanoCore
+ 3'243 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200722-tmz8yw15ga/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
UPX packed file
NanoCore
Malware Config
C2 Extraction:
wazzy.ddns.net:1716
79.134.225.75:1716
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a14f4263c002e77e88fa98957e19288e2076ad78d83c2247617f1a209d55a7a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 02faaf18a3c1ea47b86693fe03628c6dc4b58c3dd0f670a7b48d96866e9840e3

NanoCore

Executable exe a14f4263c002e77e88fa98957e19288e2076ad78d83c2247617f1a209d55a7a7

(this sample)

  
Dropped by
MD5 ef2d23326fd089317e828f7232c7c9b8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30761/
  
Dropped by
SHA256 02faaf18a3c1ea47b86693fe03628c6dc4b58c3dd0f670a7b48d96866e9840e3

Comments