MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c885429e131f2a8913a92af0d9fe3eae982fabf383789821f7db2b54eb235d8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c885429e131f2a8913a92af0d9fe3eae982fabf383789821f7db2b54eb235d8a
SHA3-384 hash: cc729258c830385879ebf345dd9d3782cd2cf9385627ec3c125ad66f2cf060cfc1782fa7c333996e6dac60de10228371
SHA1 hash: 826402eed9b81399ccd427c04122c16f127b1a52
MD5 hash: 3f74847262de69a8e5ea4b38e852be89
humanhash: emma-sweet-pasta-four
File name:3f74847262de69a8e5ea4b38e852be89.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:795'136 bytes
First seen:2020-07-20 11:30:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 947a363cee796918c4dd5f0352950426 (5 x AgentTesla, 5 x Loki, 5 x MassLogger)
ssdeep 12288:CpxEDrQY5EvoFzhlmTS1i4jkkg52CKRC8fZ9Gq7Vc/Dabbd2b66PtvU4m2IGEwd:Sa8voVOIObYfZoie/D0s269rm2Wwd
Threatray 2'593 similar samples on MalwareBazaar
TLSH C605B066F1E04877C1671B7C4D1BA2A8A836BE003E2C99766FF75C4CDF3A64034A5297
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore RAT C2s:
harri2gudd.duckdns.org:2177 (105.112.104.62)
69.65.7.130:2177

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29007/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391463
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248116 Sample: uEasvmuSEh.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 93 harri2gudd.duckdns.org 2->93 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Multi AV Scanner detection for dropped file 2->115 117 11 other signatures 2->117 11 uEasvmuSEh.exe 2->11         started        14 wpasv.exe 2->14         started        16 wpasv.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 signatures5 129 Writes to foreign memory regions 11->129 131 Allocates memory in foreign processes 11->131 133 Queues an APC in another process (thread injection) 11->133 135 Contains functionality to detect sleep reduction / modifications 11->135 20 notepad.exe 5 11->20         started        24 notepad.exe 2 14->24         started        26 notepad.exe 16->26         started        137 Maps a DLL or memory area into another process 18->137 28 jshuiwe.exe 18->28         started        30 jshuiwe.exe 18->30         started        32 jshuiwe.exe 3 18->32         started        process6 file7 85 C:\Users\user\AppData\Roaming\...\jshuiwe.exe, PE32 20->85 dropped 87 C:\Users\user\...\jshuiwe.exe:Zone.Identifier, ASCII 20->87 dropped 119 Creates files in alternative data streams (ADS) 20->119 121 Drops VBS files to the startup folder 20->121 34 jshuiwe.exe 20->34         started        37 jshuiwe.exe 24->37         started        89 C:\Users\user\AppData\Roaming\...\win.vbs, ASCII 26->89 dropped 39 jshuiwe.exe 26->39         started        41 jshuiwe.exe 28->41         started        123 Maps a DLL or memory area into another process 30->123 43 jshuiwe.exe 30->43         started        45 jshuiwe.exe 30->45         started        91 C:\Users\user\AppData\...\jshuiwe.exe.log, ASCII 32->91 dropped signatures8 process9 signatures10 101 Multi AV Scanner detection for dropped file 34->101 103 Detected unpacking (changes PE section rights) 34->103 105 Detected unpacking (creates a PE file in dynamic memory) 34->105 109 3 other signatures 34->109 47 jshuiwe.exe 1 15 34->47         started        52 jshuiwe.exe 34->52         started        107 Maps a DLL or memory area into another process 37->107 54 jshuiwe.exe 37->54         started        56 jshuiwe.exe 37->56         started        58 jshuiwe.exe 39->58         started        60 jshuiwe.exe 39->60         started        62 jshuiwe.exe 41->62         started        64 jshuiwe.exe 41->64         started        process11 dnsIp12 95 harri2gudd.duckdns.org 105.112.104.62, 2177 VNL1-ASNG Nigeria 47->95 97 69.65.7.130, 2177, 49721, 49722 ASN-GIGENETUS United States 47->97 77 C:\Program Files (x86)\...\wpasv.exe, PE32 47->77 dropped 79 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 47->79 dropped 81 C:\Users\user\AppData\Local\Temp\tmp3B9.tmp, XML 47->81 dropped 83 C:\...\wpasv.exe:Zone.Identifier, ASCII 47->83 dropped 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->99 66 schtasks.exe 1 47->66         started        68 schtasks.exe 1 47->68         started        70 jshuiwe.exe 54->70         started        file13 signatures14 process15 signatures16 73 conhost.exe 66->73         started        75 conhost.exe 68->75         started        125 Maps a DLL or memory area into another process 70->125 127 Sample uses process hollowing technique 70->127 process17
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c885429e131f2a8913a92af0d9fe3eae982fabf383789821f7db2b54eb235d8a/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 11:32:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zccufhqtd4vise5jflynt7r6v2mc7k7tqn4jqipx3mvvj2zdlwfa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
06cd18b13e77f513e826da358a65d6f61b05769ce830c8fb9d15b916c672ea61
NanoCore
1b06541ad523a8ab5fa42a7260a51e1b61b18b5c33528db6aa30b7a777231004
NanoCore
366bac9db38e89bd47b0128bdf62a4f986d1d27449c12920744e157b819751f1
NanoCore
3874eba497e0b61949d0772430ce1df420e28777dba850a6033295212e9de9c5
NanoCore
5e4da067908b56292fc2595a72378a091feccd8090b6ba186db4287c94a68680
NanoCore
7259675aad35bed593ec88a0f96263e182eaac06043f25df3362eb29186d2cd1
NanoCore
c4284c413395930a3ca9561d55045bb40c5d14d8c70e44f4f7a9b944ef34935c
NanoCore
cc829675a0e11138d47b42b5c19e45403d7d73731aac0c97ca8b2a0e37a960f8
NanoCore
d968d93ec39951451366b025e043dcef49dffcf697e2f23a64bedf222c3ade55
NanoCore
ff5fb544251818945ba7b14fb0602d71188133caf7742871318291c91b474013
NanoCore
+ 2'583 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx persistence spyware evasion trojan keylogger stealer family:nanocore
Link:
https://tria.ge/reports/200720-wexlb3bbnn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
NTFS ADS
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Uses the VBS compiler for execution
UPX packed file
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
harri2gudd.duckdns.org:2177
69.65.7.130:2177
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c885429e131f2a8913a92af0d9fe3eae982fabf383789821f7db2b54eb235d8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe c885429e131f2a8913a92af0d9fe3eae982fabf383789821f7db2b54eb235d8a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/410909/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/29007/

Comments