MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a337bd46dfdc25f5d50ea783b87c7a38e5ef7b6bfd031662c1d857e593869e19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a337bd46dfdc25f5d50ea783b87c7a38e5ef7b6bfd031662c1d857e593869e19
SHA3-384 hash: cc764e2c9d9359bd3d4f08400c8f30295eb82cf24611e2efff7f555e30d52b9db2ccc2707193d124d655199ba886a866
SHA1 hash: f7959364e8441f93bf5f9699a4c654f85bfbc17d
MD5 hash: 20c407b302da1317283e39bae8ee978e
humanhash: romeo-lima-mockingbird-echo
File name:Doc_0720_442.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:648'704 bytes
First seen:2020-07-20 09:27:48 UTC
Last seen:2020-07-22 07:09:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 18cb1753a10ac437b1e45b0361d426a6 (5 x AgentTesla, 3 x MassLogger, 3 x NanoCore)
ssdeep 12288:uRkDC2ugt0FPWW049gyUeGTOiCERxU7TzHjDpVhjTxHuu2ZZcRG4c:uSGE0FpCqi/Uv7X3A3cs4c
Threatray 3'134 similar samples on MalwareBazaar
TLSH 15D4BF66F2A08433D263367F9C5B57B4983ABF9C3D2858422BE85DCC5F387423959293
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: jmigroup-bd.com
Sending IP: 37.49.230.190
From: Procurement @ Singatac <procurement@singatac.com.sg>
Subject: PO-PS20-0254
Attachment: Doc_0720_442.pdf.zip (contains "Doc_0720_442.exe")

NanoCore RAT C2:
izu2128.hopto.org:2128 (185.244.29.131)

Pointing to nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.29.0 - 185.244.29.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-KP
country: KP
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: SUB-ALLOCATED PA
mnt-by: PRIVACYFIRST-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-07-14T13:29:24Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28875/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.10219.20314.UNOFFICIAL
Create hunting rule

Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391228
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247988 Sample: Doc_0720_442.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 104 izu2128.hopto.org 2->104 110 Found malware configuration 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 Multi AV Scanner detection for dropped file 2->114 116 13 other signatures 2->116 13 Doc_0720_442.exe 2->13         started        16 Doc_0720_442.exe 2->16         started        18 wpasv.exe 2->18         started        20 wpasv.exe 2->20         started        signatures3 process4 signatures5 124 Detected unpacking (changes PE section rights) 13->124 126 Detected unpacking (creates a PE file in dynamic memory) 13->126 128 Detected unpacking (overwrites its own PE header) 13->128 130 Contains functionality to detect sleep reduction / modifications 13->130 22 Doc_0720_442.exe 1 14 13->22         started        27 Doc_0720_442.exe 13->27         started        132 Maps a DLL or memory area into another process 16->132 29 Doc_0720_442.exe 16->29         started        31 Doc_0720_442.exe 3 16->31         started        33 wpasv.exe 18->33         started        35 wpasv.exe 3 18->35         started        37 wpasv.exe 20->37         started        39 wpasv.exe 20->39         started        process6 dnsIp7 106 185.244.29.131, 2128, 49724, 49725 DAVID_CRAIGGG Netherlands 22->106 108 izu2128.hopto.org 105.112.101.252, 2128 VNL1-ASNG Nigeria 22->108 94 C:\Program Files (x86)\...\wpasv.exe, PE32 22->94 dropped 96 C:\Users\user\AppData\Roaming\...\run.dat, data 22->96 dropped 98 C:\Users\user\AppData\Local\...\tmp5257.tmp, XML 22->98 dropped 100 C:\...\wpasv.exe:Zone.Identifier, ASCII 22->100 dropped 122 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->122 41 schtasks.exe 1 22->41         started        43 schtasks.exe 1 22->43         started        45 Doc_0720_442.exe 29->45         started        102 C:\Users\user\...\Doc_0720_442.exe.log, ASCII 31->102 dropped 48 wpasv.exe 33->48         started        50 wpasv.exe 37->50         started        file8 signatures9 process10 signatures11 52 conhost.exe 41->52         started        54 conhost.exe 43->54         started        134 Maps a DLL or memory area into another process 45->134 56 Doc_0720_442.exe 45->56         started        58 Doc_0720_442.exe 45->58         started        60 wpasv.exe 48->60         started        62 wpasv.exe 48->62         started        64 wpasv.exe 50->64         started        66 wpasv.exe 50->66         started        process12 process13 68 Doc_0720_442.exe 56->68         started        71 wpasv.exe 60->71         started        73 wpasv.exe 64->73         started        signatures14 118 Maps a DLL or memory area into another process 68->118 75 Doc_0720_442.exe 68->75         started        77 Doc_0720_442.exe 68->77         started        79 wpasv.exe 71->79         started        81 wpasv.exe 71->81         started        83 wpasv.exe 73->83         started        85 wpasv.exe 73->85         started        process15 process16 87 Doc_0720_442.exe 75->87         started        signatures17 120 Maps a DLL or memory area into another process 87->120 90 Doc_0720_442.exe 87->90         started        92 Doc_0720_442.exe 87->92         started        process18
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a337bd46dfdc25f5d50ea783b87c7a38e5ef7b6bfd031662c1d857e593869e19/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 09:29:06 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=um332rw73qs7lviou6b3q7d2hds6663l7ubrmywb3bl6le4gtymq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
08f2065fd2507d913812ff9c8a09664dbd7004a98ddaeae4e929fad631e0e9f9
NanoCore
5845f8c6a360994b9315ad2e8abbb041a55f4653b6dfc704730202e8c8caf692
NanoCore
59f912d2e25dd9c7ad3414a2a5fefaee8153f0d20cd89ccd96618e8f367facc4
NanoCore
7dfd68770a471f5991cb5b91816584e1c8e6c764bd4d8655c2d752099c5ad057
NanoCore
8761e86d2b6e3bc0c2023f403aaa64994f7a7c53ec0d0308948e67defb75bcc7
NanoCore
97bb08ab5ab612641d3744f726c9369b7cd5ddeaf4b6ddaab9ee8f3d2ee66013
NanoCore
b82d04c79bfd870dd7024db85a5c3c60827776af6bfd6b73306ceebf72150ba4
NanoCore
badaa42576167c5144d69e80a99203a44642e5bab069e197dbff57a8b05c1474
NanoCore
e257a0a26f932ddedd2134e0a56eadc8c19d03049c7c6d9b7d3ca93720106b91
NanoCore
f1dce00c5aa4c6e5023465e1909245114db371694b703c291bdd29de9e7806a8
NanoCore
+ 3'124 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200720-5pefm61s4j/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
UPX packed file
NanoCore
Malware Config
C2 Extraction:
izu2128.hopto.org:2128
185.244.29.131:2128
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a337bd46dfdc25f5d50ea783b87c7a38e5ef7b6bfd031662c1d857e593869e19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 646520a68d13313e8db10e94a04eb3940fffca130fa4ddf2b8d4cb28c3ac0fd0

NanoCore

Executable exe a337bd46dfdc25f5d50ea783b87c7a38e5ef7b6bfd031662c1d857e593869e19

(this sample)

  
Dropped by
MD5 3fbc3b7fc9fbf4a1c4984a4cefd58bd8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28875/
  
Dropped by
SHA256 646520a68d13313e8db10e94a04eb3940fffca130fa4ddf2b8d4cb28c3ac0fd0

Comments