MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be991fbee477b265767ac176f6e0c35de51c9616d58a4e72b1b2929d292fe0c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be991fbee477b265767ac176f6e0c35de51c9616d58a4e72b1b2929d292fe0c1
SHA3-384 hash: 2c6a0c60bff09cd6f5369a3e22a4805f34d6519d8f5b9b4658636ca682eeea03c62bb1b368bd550f4bb971d9d3976d8f
SHA1 hash: 55e2d28fd1cc4af0e51e0da47704f1a5c9dd3de4
MD5 hash: ea1a9e76f4b4ff8b4f6559a46f2da3fb
humanhash: seven-diet-bravo-comet
File name:ea1a9e76f4b4ff8b4f6559a46f2da3fb.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:749'056 bytes
First seen:2020-07-29 06:51:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ef47e85c79ee608837cc415c05c43b (15 x AgentTesla, 5 x NanoCore, 5 x Loki)
ssdeep 12288:rRXtpnVH9Az44BnvOCDhzcl0UdKndi2bnXVsOkccfNBhLV06giq:rfd8z4byilBdlGX989p06giq
Threatray 2'680 similar samples on MalwareBazaar
TLSH D9F4AF66B2E14832D1A72E389C1B57649F3ABEC0EE3C59452FFC1C4C5F396813866297
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
NanoCore RAT C2:
ndlovusamkello.hopto.org:3940 (185.140.53.132)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU3
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-07-28T20:56:03Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34264/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.19347.10936.15784.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401378
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 252922 Sample: DvYWRCSr5w.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 7 other signatures 2->71 11 DvYWRCSr5w.exe 2->11         started        14 wscript.exe 1 2->14         started        process3 signatures4 83 Contains functionality to inject code into remote processes 11->83 85 Writes to foreign memory regions 11->85 87 Allocates memory in foreign processes 11->87 89 2 other signatures 11->89 16 notepad.exe 5 11->16         started        20 hgyuj.exe 14->20         started        process5 file6 49 C:\Users\user\AppData\Roaming\...\hgyuj.exe, PE32 16->49 dropped 51 C:\Users\user\...\hgyuj.exe:Zone.Identifier, ASCII 16->51 dropped 53 C:\Users\user\AppData\Roaming\...\web.vbs, ASCII 16->53 dropped 59 Creates files in alternative data streams (ADS) 16->59 61 Drops VBS files to the startup folder 16->61 22 hgyuj.exe 16->22         started        63 Maps a DLL or memory area into another process 20->63 25 hgyuj.exe 20->25         started        27 hgyuj.exe 3 20->27         started        signatures7 process8 signatures9 73 Multi AV Scanner detection for dropped file 22->73 75 Detected unpacking (changes PE section rights) 22->75 77 Detected unpacking (creates a PE file in dynamic memory) 22->77 79 4 other signatures 22->79 29 hgyuj.exe 11 22->29         started        34 hgyuj.exe 22->34         started        36 hgyuj.exe 25->36         started        process10 dnsIp11 57 ndlovusamkello.hopto.org 185.140.53.132, 3940, 49732 DAVID_CRAIGGG Sweden 29->57 55 C:\Users\user\AppData\Roaming\...\run.dat, COM 29->55 dropped 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->91 93 Maps a DLL or memory area into another process 36->93 38 hgyuj.exe 36->38         started        40 hgyuj.exe 2 36->40         started        file12 signatures13 process14 process15 42 hgyuj.exe 38->42         started        signatures16 81 Maps a DLL or memory area into another process 42->81 45 hgyuj.exe 42->45         started        47 hgyuj.exe 42->47         started        process17
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/be991fbee477b265767ac176f6e0c35de51c9616d58a4e72b1b2929d292fe0c1/
Threat name:
Win32.Trojan.DataStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 06:53:05 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2mr7pxeo6zgk5t2yf3pnygdlxsrzfqw2wfe44vrwkjj2kjp4daq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
175bdb11453e65abc7c2d64a37b69d0bea771353c4eefbaa0d3ffb649292e2fc
NanoCore
3a8a04925d66b89b7cdb459aa6fc33e5132c447efcc541ab86e17b74f64a8287
NanoCore
48f66677fec3c6d3734c439ed9b2fd29cb26a155e8ccb28f30c1b2b65a4878d8
NanoCore
4936f703c3766d5968297c3e682fc5be8a3af59fa6557502b5e29af7a4f8c925
NanoCore
4ffdfd5cf9dc5f01ef37c75d1ca13d8e59afe458c0a9f7db7b6e8954d8eb6fdb
NanoCore
5901a8e4a36574b8ca6cb3c899e64cdfc27395de606cd4a512431e6dd827196f
NanoCore
8359e964cc6f542d0b069ece3e6529726d432b4946e054ac3b1c1bedcef2f7d8
NanoCore
d19e690275e1eec487544552366accd109567893c79b3634cef31515b9a0a19b
NanoCore
da8f7980c887ac05dd4c2e53c50c17bebe208be1758d6b7879144efb53d5a963
NanoCore
eb301ee5bae45a4d93e8c88a0bfda61e962be4c5a5c00255ebdf5aa364f69341
NanoCore
+ 2'670 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200729-fgznrdz8d2/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Loads dropped DLL
Drops startup file
UPX packed file
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
ndlovusamkello.hopto.org:3940
185.140.53.132:3940
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/be991fbee477b265767ac176f6e0c35de51c9616d58a4e72b1b2929d292fe0c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe be991fbee477b265767ac176f6e0c35de51c9616d58a4e72b1b2929d292fe0c1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/34264/
  
URLhaus
https://urlhaus.abuse.ch/url/410810/
  
Delivery method
Distributed via web download

Comments