MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf690b9b4ab2e0306b94b1a09431878786eb0fd6e858ac1f5d21c29a78b1f8d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	bf690b9b4ab2e0306b94b1a09431878786eb0fd6e858ac1f5d21c29a78b1f8d0
SHA3-384 hash:	8240b7031cab03987c1867795a39282269d9a8452a567f2ee8189fc1b2e71135c7ab42f18ffa88e8b9708521de337699
SHA1 hash:	e1ce2e867f1f55793d74fe475b5816a33df6068c
MD5 hash:	6cf658772409aad77bf399877c3ba5ce
humanhash:	jupiter-football-quiet-sierra
File name:	Asif Javed Resume 01.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	705'536 bytes
First seen:	2020-07-16 06:45:47 UTC
Last seen:	2020-07-19 10:56:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9f24c32fbb9fcdef16773efcde23b409 (3 x AgentTesla, 2 x NanoCore, 1 x QuasarRAT)
ssdeep	12288:f1bl3SKiQ9X5M1EL6GgmV5hT82Hnb6tYWqXF480d3kWV2HLVIdGq:BVoQ9EWe23Q0b6tYxVc3kWVWVGGq
Threatray	3'226 similar samples on MalwareBazaar
TLSH	FFE4BF2EF2AC0472C173567D9C3B5778A836BE1139286D836BE55C4C6F39381386B297
Reporter	abuse_ch
Tags:	exe NanoCore

abuse_ch

Malspam distributing NanoCore:

HELO: jmigroup-bd.com
Sending IP: 37.49.230.190
From: Asif Javed <asif.javed.moiz@gmail.com>
Subject: Resume for the post of Sales Executive Islamabad
Attachment: Asif Javed Resume 01.pdf.zip (contains "Asif Javed Resume 01.exe")

NanoCore RAT C2:
harri2gudd.duckdns.org:2177 (105.112.104.62)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/26387/

Detection(s):

Win.Malware.Daqc-6598201-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file in the %AppData% subdirectories

Creating a file in the Program Files subdirectories

Creating a file in the %temp% directory

Launching a process

Deleting a recently created file

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun with Startup directory

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/bf690b9b4ab2e0306b94b1a09431878786eb0fd6e858ac1f5d21c29a78b1f8d0/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-16 04:14:00 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=x5uqxg2kwlqda24uwgqjimmhq6dowd6w5bmkyh25ehbju6fr7dia._file

Verdict:

malicious

Label(s):

nanocorerat

hawkeyekeylogger

NanoCore

290404d235fcb1fd5f5656a2d4b755416100c005f27f7f7fcbed7dfcdb9c2a2b

NanoCore

5ade9d2627b6dc5d38a850e6a49f6557a9d9c63d16fe0199496a5559a74e7956

NanoCore

6e417fffcd28aea1071fa5c5b240b2f2e655efd6a153040c3fb64876736dcaa5

NanoCore

766904989084e0264f16fd4aff548ca862836d2f6a4ce72c4d0bf66ff78ec478

NanoCore

a14f4263c002e77e88fa98957e19288e2076ad78d83c2247617f1a209d55a7a7

NanoCore

aee0158a9f836306b64e6c99e732073aa81fe23944c91a3d0fcf9a92508019ec

NanoCore

be991fbee477b265767ac176f6e0c35de51c9616d58a4e72b1b2929d292fe0c1

NanoCore

c83638f4f7a2be7e116bd5efcae9df5522724b776f1334326aeadec2db16e000

NanoCore

f304855a11aedd539b9bdb686b1d5781e0d7080560f9520c6bda8586947b3285

NanoCore

+ 3'216 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

upx persistence spyware evasion trojan keylogger stealer family:nanocore

Link:

https://tria.ge/reports/200716-me4x3qep76/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run key to start application

Reads user/profile data of web browsers

Uses the VBS compiler for execution

UPX packed file

NanoCore

Malware Config

C2 Extraction:

harri2gudd.duckdns.org:2177
69.65.7.130:2177

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/