MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccd0bc8e90dc66863f6aab4a7d41e633ffb0799acf61e400c0e8f2568279c696. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccd0bc8e90dc66863f6aab4a7d41e633ffb0799acf61e400c0e8f2568279c696
SHA3-384 hash: b6c90485d04d085d586b8a80028cba908c0383a3d8ee090d70c6ecc9bc5017d1f9be89c3acb11102c5ccc2519f6038bf
SHA1 hash: babf737fe0bdc53992f6a5e0ee5d761dd21fb89a
MD5 hash: e989518eabe414ef4b959eb7de190e7c
humanhash: mango-high-undress-coffee
File name:22021Item_list_sheet#7292020_PDF.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:745'984 bytes
First seen:2020-07-30 07:23:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Ef3O6B3TxwWJMAsu0J/5QObhvHbkhWUTN5zcZEFvpEFgKAxUQYff:Ef3nBNJLRWBTihVrQax
Threatray 1'287 similar samples on MalwareBazaar
TLSH 9EF4C0047B90E50FC66B8F7AC9D44800EEB8E9D6471BE38B74C537AF18CE36A9901675
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: tumppi.com
Sending IP: 95.211.208.25
From: Great China Trading Ltd<purchase@tumppi.com>
Subject: RE: 动回复 urgent inquiry for quote
Attachment: 22021Item_list_sheet7292020_PDF.rar (contains "22021Item_list_sheet#7292020_PDF.exe")

NanoCore RAT C2:
79.134.225.71:1990

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35346/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.18899.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/403264
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 253860 Sample: 22021Item_list_sheet#729202... Startdate: 30/07/2020 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 10 other signatures 2->55 8 22021Item_list_sheet#7292020_PDF.exe 1 2->8         started        12 dhcpmon.exe 1 2->12         started        14 22021Item_list_sheet#7292020_PDF.exe 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 45 22021Item_list_sheet#7292020_PDF.exe.log, ASCII 8->45 dropped 59 Injects a PE file into a foreign processes 8->59 18 22021Item_list_sheet#7292020_PDF.exe 1 12 8->18         started        23 dhcpmon.exe 2 12->23         started        25 22021Item_list_sheet#7292020_PDF.exe 2 14->25         started        27 dhcpmon.exe 16->27         started        signatures5 process6 dnsIp7 47 79.134.225.71, 1990, 49712, 49713 FINK-TELECOM-SERVICESCH Switzerland 18->47 37 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->37 dropped 39 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->39 dropped 41 C:\Users\user\AppData\Local\...\tmp709D.tmp, XML 18->41 dropped 43 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->43 dropped 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->57 29 schtasks.exe 1 18->29         started        31 schtasks.exe 1 18->31         started        file8 signatures9 process10 process11 33 conhost.exe 29->33         started        35 conhost.exe 31->35         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ccd0bc8e90dc66863f6aab4a7d41e633ffb0799acf61e400c0e8f2568279c696/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-30 07:25:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztilzduq3rtimp3kvnfh2qpggp73a6m2z5q6iaga5dzfnatzy2la._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
09f20acd87a94d2a22202840d712eb5658471c2c39168d6178890ddcc313e9f3
NanoCore
2f003ca84db5f82fcf36040f7d97baae64e0582e830c8c1cea65c32c3d5b21d5
NanoCore
3521a9cd1d18d9991b29966ae472097ae2996fc50c230ac06762f9e7666656f5
NanoCore
483338a656b2a7bf095d9bf3ca950419f217acdb9812b3d0013ccc13785f305e
NanoCore
5e3140ed7841e6893114a0d4d9c5ee239736449aaba20d2c8939a051e5ef21c5
NanoCore
8490e3d97ac25a9e1e87a0270a30076cc38b75ca705e28d5c78b93968b0231fb
NanoCore
93bf34f3e42fb55786de7c65c2aa7f8340194e12708170e7f9a0bf0c42c2a72f
NanoCore
cb5eb4758a41046a2f3fc084731d756aedf8ea212dc08c9bb2e6cd7f5eff6cae
NanoCore
cff3d5fedc8fdab09a7b27524a02503b53f4f7378ab0a09219701d3b9c3e68f4
NanoCore
ed544c300a04ddf77c6537f3cb78177f12c9a23e62d06189a19eee966caf9631
NanoCore
+ 1'277 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200730-gq9edy9pgj/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
NanoCore
Malware Config
C2 Extraction:
79.134.225.71:1990
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/ccd0bc8e90dc66863f6aab4a7d41e633ffb0799acf61e400c0e8f2568279c696

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar cd37bd1fd712becace8f1e9025f0cc72833868f6668a2111e511a537bea50b33

NanoCore

Executable exe ccd0bc8e90dc66863f6aab4a7d41e633ffb0799acf61e400c0e8f2568279c696

(this sample)

  
Dropped by
MD5 eb8f5ec4fcc197efa21dac5a8a35f72f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35346/
  
Dropped by
SHA256 cd37bd1fd712becace8f1e9025f0cc72833868f6668a2111e511a537bea50b33

Comments