MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3e67bd9483ff44e19489be13809806f228aa8063d701f2344eed25c9c3cd5db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3e67bd9483ff44e19489be13809806f228aa8063d701f2344eed25c9c3cd5db
SHA3-384 hash: 504d1455a89a137c0696d475a56830d2e67363b921581a8af00737044bb9aaa8472c55f99f19776c3e96ebfc34a2faea
SHA1 hash: 9a547040db23b1a5f8643c44f5f49f9b909aa431
MD5 hash: 19e37f230241df1a515db9a800201b9e
humanhash: colorado-william-lemon-mike
File name:invoice and packing list #22122020.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:910'848 bytes
First seen:2020-12-22 15:51:42 UTC
Last seen:2020-12-22 17:39:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:R4GonzKs5jPl66Iht2JlLFuawK13dYmBnwMUwb2Od2ck6lsu5/vnT0dw35na5AP:R4Lzwe9wK13dYmVvUwbL2/Sv3ha5A
Threatray 1'637 similar samples on MalwareBazaar
TLSH B1156C20E5E9D119FD329B67C6D0F4F186BABDE2E30ED41B28D13E463632941C9B1729
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: asamco-sa.com
Sending IP: 212.83.46.26
From: EIRAD Trading and Contracting Co. LTD <info@asamco-sa.com>
Subject: SHIPMENT NEED ADVICE
Attachment: invoice and packing list 22122020.7z (contains "invoice and packing list #22122020.exe")

NanoCore RAT C2:
185.165.153.84:20110

Hosted on nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-UK
country: GB
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-10-26T17:45:15Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice and packing list #22122020.exe
Verdict:
Malicious activity
Analysis date:
2020-12-22 16:19:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/71232510-ad3b-4131-bfa7-c8fc13c8c1cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108951/
Detection(s):
SecuriteInfo.com.ArtemisTrojan.5219.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/568573
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Binary contains a suspicious time stamp
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a3e67bd9483ff44e19489be13809806f228aa8063d701f2344eed25c9c3cd5db/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-12-22 15:52:07 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=upthxwkih72e4gkitpqtqcman4rivkaghvyb6i2e53jfzhb42xnq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
013e28fb236b074fae60d3252c602924a886ad4c311310dbb19f85ba1c5e2425
NanoCore
07b7896911fbed2570ef9716256497017a3d2e57b4f992afc3c42aede186284d
NanoCore
0d23d50f25bc53d65f18b1d1ed302ef80baa0ad2723e1519f754303c9829a108
NanoCore
1085d37245912faccfa2fb20359b5560032988719e277a0b98ac2ef9da1476a2
NanoCore
1a5a50f2ed013719d08a9eb60588a626aa6e0e58762ce7721dfbdc56e968c63c
NanoCore
42ed72b284dd390611cdc6b88aab94d9afa0b48d12037aa3edc64aeede11499c
NanoCore
55a85320a226d58c12355a5836a77fd17fd270fefa30612da9e6a79b9f17b222
NanoCore
5f7a6ab99e2c38a8093873b93853316b31cc15319a17af6d11f50511c4ad8456
NanoCore
88ae38556e157d0f34780d0764240a8f5be7c503b4c4c173403cd2be59cd2916
NanoCore
e4174e1702d046eb696fb13f9d7be26c7b519179ac94212ce61de97ed586cf10
NanoCore
+ 1'627 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201222-67ppqzch3n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
185.165.153.84:20110
msaqibafrozo.duckdns.org:20110
Unpacked files
SH256 hash:
a3e67bd9483ff44e19489be13809806f228aa8063d701f2344eed25c9c3cd5db
MD5 hash:
19e37f230241df1a515db9a800201b9e
SHA1 hash:
9a547040db23b1a5f8643c44f5f49f9b909aa431
Link:
https://www.unpac.me/results/3452e842-5134-43a1-9459-0d4228083faf/
SH256 hash:
14465aea3086ce62aea3f76e24f2e64650448d3f206bacaf2a025fe1e0c80758
MD5 hash:
813d6dc28772a5ed29da4c57e6995498
SHA1 hash:
0c6e060c10975909a3c77101c410405461061dea
Link:
https://www.unpac.me/results/3452e842-5134-43a1-9459-0d4228083faf/
SH256 hash:
63a681a5739224e2a8d2184aee0f2672d57a99b920dbd40de6decb78b961b588
MD5 hash:
fc6398e3e937efd3ec3b835312111b12
SHA1 hash:
1df5edc9d3e24de6032d3569db24c58f79f65476
Link:
https://www.unpac.me/results/3452e842-5134-43a1-9459-0d4228083faf/
SH256 hash:
74231bfbd4fb830b9ef2db487b948812bfe87a184928b33dafa5a8e388ee0fa7
MD5 hash:
59ddad0ccd915041d217f7b3467c8bd5
SHA1 hash:
1f4c5d5bc25191f0130812b71f98bd2bfa6a1c1d
Link:
https://www.unpac.me/results/3452e842-5134-43a1-9459-0d4228083faf/
SH256 hash:
f01e0f367495c9e173c14bf1dd3150dba04806d3d38a177cad318db03e81ccfb
MD5 hash:
ca6152cccdff4ce7e3e8e642feda71a9
SHA1 hash:
d2c7c7048c6bfe02ea17255010d2fc72a7d07529
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/3452e842-5134-43a1-9459-0d4228083faf/
Parent samples :
3a07dbe6d6a87a8dd57471a9f22d5aedf60e4743bdd28ed0409a3239f79804a5
a3e67bd9483ff44e19489be13809806f228aa8063d701f2344eed25c9c3cd5db
9df9ae7c7105190f492e203637fb147ff92d8d197a42d215408a4ede9b8be1ce
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/a3e67bd9483ff44e19489be13809806f228aa8063d701f2344eed25c9c3cd5db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

7z 7be68ffe59d4bd106a10164560df5605aad484d03d3714c4d556ad0f07c24da0

NanoCore

Executable exe a3e67bd9483ff44e19489be13809806f228aa8063d701f2344eed25c9c3cd5db

(this sample)

  
Dropped by
MD5 037b7a5b527a77b723e798b908c74a6c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/108951/
  
Dropped by
SHA256 7be68ffe59d4bd106a10164560df5605aad484d03d3714c4d556ad0f07c24da0

Comments