MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0fe48e42fb4769fd14e90de135d33729de312e0b82ba907885b26462f80af01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0fe48e42fb4769fd14e90de135d33729de312e0b82ba907885b26462f80af01
SHA3-384 hash: 78d2b4db58818c812f52146286b3cc264c51db890d3a58987056f15cea2e5080e058f0b904362e38915544e423310bd8
SHA1 hash: bcf54e6e81ad02451495565358c4d75da527416f
MD5 hash: 12c7e04ea8bc4daac3b7d7ec8bbd5b3c
humanhash: timing-thirteen-pluto-potato
File name:RFQ.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:573'952 bytes
First seen:2020-08-14 08:47:22 UTC
Last seen:2020-08-14 09:42:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:LS1FFkBGs5bc5tHBonRQ11OwmJpx3Mzt3jRxvaExzjj7rMn/t7WOXMV:LS1zkkNtheQXmJv38fvZDM/t7Wd
Threatray 1'157 similar samples on MalwareBazaar
TLSH D5C45A3935D2485CC56A62755428A8C3B33662873ED6CF6EA1CB23C95E036DF7B1306E
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT Yahoo


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: sonic305-21.consmr.mail.sg3.yahoo.com
Sending IP: 106.10.241.84
From: Albert Zuzarte <aezuzarte@yahoo.co.in>
Reply-To: Albert Zuzarte <aezuzarte@yahoo.co.in>
Subject: LOI AND RFQ
Attachment: RFQ.zip.lha (contains "RFQ.exe")

NanoCore RAT C2:
chidinduirofuala.ddns.net:45456 (79.134.225.74)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45652/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.3937.2039.10169.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a file
Running batch commands
Launching a process
Creating a file in the %AppData% directory
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/429058
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates an autostart registry key pointing to binary in C:\Windows
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Add file from suspicious location to autostart registry
Sigma detected: NanoCore
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 267019 Sample: RFQ.exe Startdate: 15/08/2020 Architecture: WINDOWS Score: 100 48 chidinduirofuala.ddns.net 2->48 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Sigma detected: NanoCore 2->64 66 5 other signatures 2->66 8 RFQ.exe 9 2->8         started        12 pcalua.exe 1 2->12         started        14 dhcpmon.exe 2->14         started        16 pcalua.exe 1 1 2->16         started        signatures3 process4 file5 36 C:\Users\user\AppData\Roaming\abobex.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\...\InstallUtil.exe, PE32 8->38 dropped 40 C:\Users\user\...\abobex.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\Temp\...\l.dll, PE32 8->42 dropped 68 Tries to detect virtualization through RDTSC time measurements 8->68 18 abobex.exe 2 8->18         started        21 cmd.exe 1 8->21         started        23 abobex.exe 3 12->23         started        25 conhost.exe 14->25         started        signatures6 process7 signatures8 52 Writes to foreign memory regions 18->52 54 Allocates memory in foreign processes 18->54 56 Injects a PE file into a foreign processes 18->56 27 InstallUtil.exe 1 8 18->27         started        32 reg.exe 1 1 21->32         started        34 conhost.exe 21->34         started        58 Tries to detect virtualization through RDTSC time measurements 23->58 process9 dnsIp10 50 chidinduirofuala.ddns.net 105.112.100.239, 45456 VNL1-ASNG Nigeria 27->50 44 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 27->44 dropped 46 C:\Program Files (x86)\...\dhcpmon.exe, PE32 27->46 dropped 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->70 72 Creates an autostart registry key pointing to binary in C:\Windows 32->72 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0fe48e42fb4769fd14e90de135d33729de312e0b82ba907885b26462f80af01/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 08:49:05 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yd7erzbpwr3j7ukosdpbgxjtoko6gexaxav2sb4ilmteml4av4aq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
7224ce18911e8f1865c59ea87da299938b7e1aaa3d1a3bfcc4c5d33bb8ab935d
NanoCore
7b5bc8135bbabcf6428dd19187f5216ef5cbabd88bb8386c91f30b35ac9ae851
NanoCore
93bf34f3e42fb55786de7c65c2aa7f8340194e12708170e7f9a0bf0c42c2a72f
NanoCore
94bb69e726461f198145fac175e2e27ccc72534ae29db90cfaef683e726adec2
NanoCore
b3289e282e7c031fde98778bac0057bad5d933c85da0b43d95f177c6333fc3c2
NanoCore
b8f668a48ebd4f1df718792fb3756c03053f91a1737910220a63cdfe67d9ad75
NanoCore
bc42fd114a0308d12edb1ef9ab5b5d44c3cf3d447e7cf9e0218aae671fe25d39
NanoCore
be240aed297970b0e97f46ce8964784645c8bfeb7b4ffc451ab7857b7df8438f
NanoCore
e9b9c624c29a9aefaa2f235d9014a3bb4350f844d617530da216e434a53660b9
NanoCore
fa885e667cc43b0acd85af66802d2eaa9266ceed59a74589b415aa0ef45e4ce9
NanoCore
+ 1'147 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore
Link:
https://tria.ge/reports/200814-saafketk3a/
Behaviour
Nanocore family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NanoCore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0fe48e42fb4769fd14e90de135d33729de312e0b82ba907885b26462f80af01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip d9a2fc1adf04630e91162b04a88010f410930d050e5acb7ace99dc7220430bc8

NanoCore

Executable exe c0fe48e42fb4769fd14e90de135d33729de312e0b82ba907885b26462f80af01

(this sample)

  
Dropped by
MD5 69e0fe061aa46600e44f25ac67bfc672
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45652/
  
Dropped by
SHA256 d9a2fc1adf04630e91162b04a88010f410930d050e5acb7ace99dc7220430bc8

Comments