MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b20265f6aaff86503f7be16f8b9215763a9bd166135e506191e4212afbfca4ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b20265f6aaff86503f7be16f8b9215763a9bd166135e506191e4212afbfca4ed
SHA3-384 hash: 4b8f1a61b5b83a8be571136d5ed110d46b56b6fcdf00e4fb79a49f9c4e7d850f977447c539f70cf97ecd29ee74263e21
SHA1 hash: 11e5f74fb3a563a9160b35a4769397014f87ac36
MD5 hash: 9c08ce13b2f7974c0802b3e8b0545c93
humanhash: nuts-pizza-jig-december
File name:Receipt.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'050'624 bytes
First seen:2020-10-10 07:11:05 UTC
Last seen:2020-10-10 08:04:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:XDzjATdlpdrGssPfq+XBnK5IMy9CVYxhL5:XHUTdvossX/RK5I97
Threatray 941 similar samples on MalwareBazaar
TLSH F725DF88B151B19EC7D6B1319F64DCB8A7503C6E9A1A060770F33F5FBAFC5439A205A2
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: mail.moenepa.cf
Sending IP: 160.251.7.172
From: Sales Departmet <admin@moenepa.cf>
Subject: Thank you for your payment!
Attachment: Receipt.img (contains "Receipt.exe")

NanoCore RAT C2:
u852117.nvpn.to:5638 (185.244.30.163)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-HU
country: HU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-10-07T21:39:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69721/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487454
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b20265f6aaff86503f7be16f8b9215763a9bd166135e506191e4212afbfca4ed/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 19:09:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wibgl5vk76dfap334fxyxeqvoy5jxulgcnpfaymr4qqsv674utwq._file
Verdict:
unknown
Similar samples:
065e8a67f2f183b639efbce3d4014c2d21e658f0e7fb92ae57a6cef9acd12626
NanoCore
1dbc1c2ea41a79c3046b9f0796248ba48db207c93fb7c1521e81763671298144
NanoCore
3e0a5536a96d3ea0b97b034c193bcb933f2dd8dfc8e159915951ab3842630b20
NanoCore
5b906f526f79a607ad3677bd9873c6a209a9952d93700629a4dd5b7b43ae347b
NanoCore
7c479cfb9c3df15b565e16fc62709d8af849773c5112b53bf4d41f939219d6d8
NanoCore
ac6059835dff236452027450749d077775411e277447a711e5f53bea47262821
NanoCore
c4b216f8933c36d4ac90ab772e7b5ec375e87e009c3d45022e953870feb320c2
NanoCore
d0a30f40bc29f4282f79ceb0f3391ee6b77d3837fdc1bd3208c4ad2ed392940c
NanoCore
df9b3d41a51bfe74090579138acaf0e2b6745c24f3625f3e3c6a4f6da00e2074
NanoCore
dfa5e1f893c313deda7e7ea47512b756a21bba962e07cb21248b9abbdaadf3a4
NanoCore
+ 931 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore
Link:
https://tria.ge/reports/201010-937bayh8gj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NanoCore
Malware Config
C2 Extraction:
u852117.nvpn.to:5638
Unpacked files
SH256 hash:
b20265f6aaff86503f7be16f8b9215763a9bd166135e506191e4212afbfca4ed
MD5 hash:
9c08ce13b2f7974c0802b3e8b0545c93
SHA1 hash:
11e5f74fb3a563a9160b35a4769397014f87ac36
Link:
https://www.unpac.me/results/87942fee-5c41-4b97-bfb2-640ec04dfb25/
SH256 hash:
6c1581cc0950c5018833ffc0cbc44f45afe569ad46e0b4685fabe734c47ba971
MD5 hash:
95abcc15c5e18f99a01d49269899e1aa
SHA1 hash:
20edd658a2f44486c2a36a1b0a0dedf17336e01b
Link:
https://www.unpac.me/results/87942fee-5c41-4b97-bfb2-640ec04dfb25/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/87942fee-5c41-4b97-bfb2-640ec04dfb25/
SH256 hash:
2682ab3fbe024e7c4a76a61ac03f6d8f49f1628124056bc82f2a001ccc93a147
MD5 hash:
13ef721172488706899f5004791322f5
SHA1 hash:
97860fe24817563d0ed443cb3aeaf1f2bba827e8
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/87942fee-5c41-4b97-bfb2-640ec04dfb25/
Parent samples :
8551c05301b50a17763637cca7f291a6b779c82f16275f734e793f6a0e7e1a17
b20265f6aaff86503f7be16f8b9215763a9bd166135e506191e4212afbfca4ed
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/b20265f6aaff86503f7be16f8b9215763a9bd166135e506191e4212afbfca4ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img 936236bd630d58048f901753f76083e02108c93daeb9e9532ccb53d7f8ec3553

NanoCore

Executable exe b20265f6aaff86503f7be16f8b9215763a9bd166135e506191e4212afbfca4ed

(this sample)

  
Dropped by
MD5 88e98d63a6a5d9e54454549f352fd915
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69721/
  
Dropped by
SHA256 936236bd630d58048f901753f76083e02108c93daeb9e9532ccb53d7f8ec3553

Comments