MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a682ac9ef2f7b961a104799132c533960d192614ef6a43b1fd9a6a88bfdb6f21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a682ac9ef2f7b961a104799132c533960d192614ef6a43b1fd9a6a88bfdb6f21
SHA3-384 hash: 5d336097d825195f0480e3eb4fba33a53bcf98539ef97f54b35483edc9b688af80525609eefc53a55f63e04fc8b9aca0
SHA1 hash: 6c08071496e8a4f0ec070bd03eb74163bd6b74b6
MD5 hash: 383d697c7586ba7d914d99eac01d40df
humanhash: snake-carbon-fruit-pip
File name:RFQ.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:909'312 bytes
First seen:2020-08-31 10:59:51 UTC
Last seen:2020-08-31 12:17:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:MQDyEpX2lQK0sadpySoOlT8edq2LibYTJ1Fw9F7cQoKMGz5RnterXZEW2acu5VMg:MQCa7kOlIeheYJ1FucQ7Xn68acHg
Threatray 1'064 similar samples on MalwareBazaar
TLSH 2C15D052531D8B2EDC1877B8349104DCE2B27F81FE38E1DCDD0B31AA6A7724DA5D9292
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: neelkant.allwebserver.com
Sending IP: 78.140.174.120
From: Angelina Rodrigo <sjrkintluea@gmail.com>
Reply-To: sjrkintluea@gmail.com
Subject: Request For Quotation
Attachment: RFQ.arj (contains "RFQ.exe")

NanoCore RAT C2:
91.193.75.18:1985

Hosted on nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NET-NINAZU
remarks: ------------------------------------------
remarks: * This network is used for a VPN service.
remarks: * No logs are stored in any shape or form.
remarks: ------------------------------------------
country: RU
admin-c: NVS100-RIPE
tech-c: NVS100-RIPE
abuse-c: NVS100-RIPE
mnt-by: NINAZU-MNT
mnt-by: RIPE-NCC-END-MNT
org: ORG-KHd1-RIPE
sponsoring-org: ORG-MW1-RIPE
status: ASSIGNED PI
created: 2012-06-04T11:05:55Z
last-modified: 2020-07-28T21:23:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53425/
Detection(s):
SecuriteInfo.com.Artemis383D697C7586.22015.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Threat name:
Nanocore AveMaria MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/455300
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected Nanocore Rat
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AveMaria stealer
Yara detected MailPassView
Yara detected Nanocore RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 280037 Sample: RFQ.exe Startdate: 31/08/2020 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 15 other signatures 2->66 8 RFQ.exe 7 2->8         started        12 RegSvcs.exe 2 2->12         started        14 dhcpmon.exe 2 2->14         started        16 dhcpmon.exe 1 2->16         started        process3 file4 50 C:\Users\user\AppData\Roaming\cEVmcc.exe, PE32 8->50 dropped 52 C:\Users\user\...\cEVmcc.exe:Zone.Identifier, ASCII 8->52 dropped 54 C:\Users\user\AppData\Local\...\tmpE31E.tmp, XML 8->54 dropped 56 C:\Users\user\AppData\Local\...\RFQ.exe.log, ASCII 8->56 dropped 74 Writes to foreign memory regions 8->74 76 Allocates memory in foreign processes 8->76 78 Injects a PE file into a foreign processes 8->78 18 RegSvcs.exe 1 14 8->18         started        23 schtasks.exe 1 8->23         started        25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        signatures5 process6 dnsIp7 58 91.193.75.18, 1985, 49708 DAVID_CRAIGGG Serbia 18->58 46 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 18->46 dropped 48 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->48 dropped 68 Protects its processes via BreakOnTermination flag 18->68 70 Writes to foreign memory regions 18->70 72 Injects a PE file into a foreign processes 18->72 31 vbc.exe 1 18->31         started        34 schtasks.exe 1 18->34         started        36 schtasks.exe 1 18->36         started        38 vbc.exe 13 18->38         started        40 conhost.exe 23->40         started        file8 signatures9 process10 signatures11 80 Tries to steal Mail credentials (via file registry) 31->80 82 Tries to steal Instant Messenger accounts or passwords 31->82 84 Tries to steal Mail credentials (via file access) 31->84 42 conhost.exe 34->42         started        44 conhost.exe 36->44         started        process12
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a682ac9ef2f7b961a104799132c533960d192614ef6a43b1fd9a6a88bfdb6f21/
Threat name:
ByteCode-MSIL.Infostealer.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 05:08:09 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2bkzhxs664wdiiepgitfrjtsygrsjqu55vehmp5tjvirp63n4qq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
2cc946f811083d61e8d5d5892188799086aec88c8f9a2dd68a3af4af2bc07e28
NanoCore
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
NanoCore
7795d2106023220b5e106b1e05815e7818d66189c01d4bc927767008fccdc6d2
NanoCore
8133b96955c936b094a7bfe2351554503c31ffd075767e0d5b735dd90a024dd4
NanoCore
83b70b20d0cdb13e9c420723ba5f025827d21e0c051c6e64b5553a5c372c3374
NanoCore
9c62e75f2dc168671bddfe8cad2b102197c10d9039d8917a7637585ff603dbdd
NanoCore
d05649a91cebb1b3cfa6133a69f39b94ea876cb9855df55573244b7d6504fac1
NanoCore
e29e9d9beb5ce8187decf038cdc0b1d3102b4cfe43715a3b4f934098a943ebed
NanoCore
e4491a0d3030a3c03f75f931bb5f532b6064feb927a9664bda88c675d480b77c
NanoCore
fadcffc72696cb639334be446d2aeb90743b270276f48b730efbb59b73505a85
NanoCore
+ 1'054 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
persistence keylogger trojan stealer spyware family:nanocore
Link:
https://tria.ge/reports/200831-hzr48czdxj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
NanoCore
Malware Config
C2 Extraction:
91.193.75.18:1985
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a682ac9ef2f7b961a104799132c533960d192614ef6a43b1fd9a6a88bfdb6f21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj 9d51443407c177041cba6daaca4bc66bad9dd33002fbb6744f9ad354427a4c03

NanoCore

Executable exe a682ac9ef2f7b961a104799132c533960d192614ef6a43b1fd9a6a88bfdb6f21

(this sample)

  
Dropped by
MD5 950741ea2c16067f44264b28c211346c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9d51443407c177041cba6daaca4bc66bad9dd33002fbb6744f9ad354427a4c03
Cape
Cape
https://www.capesandbox.com/analysis/53425/

Comments