MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c83638f4f7a2be7e116bd5efcae9df5522724b776f1334326aeadec2db16e000. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c83638f4f7a2be7e116bd5efcae9df5522724b776f1334326aeadec2db16e000
SHA3-384 hash: 309f303cd4cd98e86b32e378437a87e9a3cfb8f23934149f654f9555c553bcafc82804004a32b921c2e4fb59f58f3f38
SHA1 hash: 2bd14840f76870cc9d8d4415031a5250e7916d4f
MD5 hash: 967b0493c047e9224b5c3cef7dc76330
humanhash: oregon-utah-black-pluto
File name:ASP511_16072020.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:706'048 bytes
First seen:2020-07-16 08:02:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f24c32fbb9fcdef16773efcde23b409 (3 x AgentTesla, 2 x NanoCore, 1 x QuasarRAT)
ssdeep 12288:z1bl3SKiQ9X5M1EL6GgmV5hT82Hnb6tYSYc7l8Kz95a1:NVoQ9EWe23Q0b6tYQRhO
Threatray 2'816 similar samples on MalwareBazaar
TLSH 3AE4BF2EF2EC0476C17316799C3B97B8A836BE113D285D876BE55C4C6F39241396B283
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: kaitlynkaizer.co.za
Sending IP: 45.143.222.165
From: Sophie Miura <Sophie.mi12@yahoo.com>
Subject: Re:Refund of Payment
Attachment: ASP511_16072020.pdf.zip (contains "ASP511_16072020.exe")

NanoCore RAT C2:
wazzy.ddns.net:1716 (91.193.75.3)

Pointing to nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@privacyfirst.sh'

inetnum: 91.193.75.0 - 91.193.75.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
abuse-c: ACRO34258-RIPE
mnt-by: PRIVACYFIRST-MNT
mnt-by: RIPE-NCC-END-MNT
status: ASSIGNED PI
org: ORG-KHd1-RIPE
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2020-07-15T15:25:07Z
source: RIPE


Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26497/
Detection(s):
Win.Malware.Daqc-6598201-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389437
Signature
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 246901 Sample: ASP511_16072020.exe Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 67 wazzy.ddns.net 2->67 75 Multi AV Scanner detection for domain / URL 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 9 other signatures 2->81 15 ASP511_16072020.exe 2->15         started        18 ASP511_16072020.exe 2->18         started        signatures3 process4 signatures5 89 Maps a DLL or memory area into another process 15->89 20 ASP511_16072020.exe 15->20         started        22 ASP511_16072020.exe 3 15->22         started        91 Detected unpacking (changes PE section rights) 18->91 93 Detected unpacking (creates a PE file in dynamic memory) 18->93 95 Detected unpacking (overwrites its own PE header) 18->95 97 Contains functionality to detect sleep reduction / modifications 18->97 25 ASP511_16072020.exe 10 18->25         started        29 ASP511_16072020.exe 18->29         started        process6 dnsIp7 31 ASP511_16072020.exe 20->31         started        61 C:\Users\user\...\ASP511_16072020.exe.log, ASCII 22->61 dropped 69 wazzy.ddns.net 105.112.102.244, 1716 VNL1-ASNG Nigeria 25->69 71 194.5.99.24, 1716 DANILENKODE Netherlands 25->71 63 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 25->63 dropped 65 C:\Users\user\AppData\Local\...\tmpB21F.tmp, XML 25->65 dropped 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->85 34 schtasks.exe 1 25->34         started        file8 signatures9 process10 signatures11 99 Maps a DLL or memory area into another process 31->99 36 ASP511_16072020.exe 31->36         started        38 ASP511_16072020.exe 2 31->38         started        40 conhost.exe 34->40         started        process12 process13 42 ASP511_16072020.exe 36->42         started        signatures14 87 Maps a DLL or memory area into another process 42->87 45 ASP511_16072020.exe 42->45         started        47 ASP511_16072020.exe 2 42->47         started        process15 process16 49 ASP511_16072020.exe 45->49         started        signatures17 73 Maps a DLL or memory area into another process 49->73 52 ASP511_16072020.exe 49->52         started        54 ASP511_16072020.exe 49->54         started        process18 process19 56 ASP511_16072020.exe 52->56         started        signatures20 83 Maps a DLL or memory area into another process 56->83 59 ASP511_16072020.exe 56->59         started        process21
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c83638f4f7a2be7e116bd5efcae9df5522724b776f1334326aeadec2db16e000/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 08:04:07 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=za3dr5hxuk7h4ell2xx4v2o7kurhes3xn4jtimtk5lpmfwyw4aaa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
02b10c6690bd0ed3e9b675553519df78a7ede63a398d68304043eacb691fd305
NanoCore
24fe76a4e6cd5623f2326d2f43de09b9b6f4de236e80ea5aca50b76da888c0af
NanoCore
3ec241071c7e4652915d56d349936696967e54a34d4943a51bdb20a91893331b
NanoCore
68101d145825fc980210f1f56638011d98eeaf5c53fb734b62a80dac6489f2e3
NanoCore
90474a0270106b33e3208a63041d2e4d013b1d2b415bf3bf44e9a5ab685d0531
NanoCore
a4d6c0a909365bd89fdf812fbb75f92edc06fcd2a9a7b3c6d9b553ffe124858f
NanoCore
be1a45ae85bb530727a5e96d3dc19eeb0542991ddb5a747b93665b4599c70ea0
NanoCore
c18ae57203cb03daa5d28d11862951854656f2ce1f7d74237d3972345e7140ad
NanoCore
c70637a7eb05b36175b101211cda02663eeefff3ea85b0742c5be6f7badd0a75
NanoCore
e1bf95bd96a59075ac24eec7c47b3142361ea79c1fb68e2b6039212fba523449
NanoCore
+ 2'806 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200716-3asqgn3lt2/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
UPX packed file
NanoCore
Malware Config
C2 Extraction:
wazzy.ddns.net:1716
194.5.99.24:1716
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 36639a072abbb9603031d3b620776c5fa339cd7595da2dbb2d076cfdb033c6fd

NanoCore

Executable exe c83638f4f7a2be7e116bd5efcae9df5522724b776f1334326aeadec2db16e000

(this sample)

  
Dropped by
MD5 652e1ab5cbdb2467b3be1e532455b8df
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26497/
  
Dropped by
SHA256 36639a072abbb9603031d3b620776c5fa339cd7595da2dbb2d076cfdb033c6fd

Comments