MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ceffcce2144e6f7b1724f53f9812b05c6066efb4cf70ba1ff178a0f50d021d30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ceffcce2144e6f7b1724f53f9812b05c6066efb4cf70ba1ff178a0f50d021d30
SHA3-384 hash: 97e27dc2a63bd220cbe54979dd21a6fff229e054cdc44264e3e79d87aac1723c46d9544f68833b44ef5feab6f3a7ba81
SHA1 hash: 49ea58795f6dea1af77541352ce7a59c377db608
MD5 hash: c07ac357e1e7cc7e141dc7f85dda5677
humanhash: fruit-november-five-zebra
File name:000238956.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:793'600 bytes
First seen:2020-08-18 11:41:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e877e52c1d0025820b0d8228acf49bf6 (15 x AgentTesla, 14 x Loki, 4 x Formbook)
ssdeep 12288:H+p7p8KESESHe4/gD6WDSqWl/LDGTGM5irK8k3Wco25grxXf3+rfi0:2tRES4DBSq2KG2b/Pg1Wrj
Threatray 2'285 similar samples on MalwareBazaar
TLSH FAF48D66B2E0443FC166293D9D1B97747839BE102A285D866BE55CCF8FFC68138391E3
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: yahoo.com
Sending IP: 37.49.230.46
From: '' Fabrício''<cifuso@yahoo.com>
Subject: RE:INQURING
Attachment: 000238956.zip (contains "000238956.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47745/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
DNS request
Sending a UDP request
Connection attempt to an infection source
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ceffcce2144e6f7b1724f53f9812b05c6066efb4cf70ba1ff178a0f50d021d30/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 11:43:05 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z374zyqujzxxwfze6u7zqevqlrqgn35uz5yluh7rpcqpkdicduya._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0043c3f1ed670857f0a5d63148581c67c6878833bc767f194c77a6e9ddafb87b
NanoCore
254920e6788f4cb4975f08c5deef07e932f4a370a38c5197d7a4fb7846ea63ae
NanoCore
44096c1493b07b6097e73099250d28081e1729e2181420e90b5913030c9687b2
NanoCore
6a0a4894127b64d80992079cbcce8ab2b6998e65ac8dca03259697db83dc9332
NanoCore
8243c8a72e7a2021b4d956f5dafc19ded0162e9eb99f158f8da83660ea9368b5
NanoCore
8a1c7d516ce87b96194a19289d40a13f1cde869e3cfa844c3ec5a0b3a8899d38
NanoCore
abe03fc94f99d47117f6c75cf606d21b2cd361e5694076c87f6057e4c1eac212
NanoCore
b9929d5795c560d38f4e9a62b9f67c125f05af52411b0f780ccdaf30c5940a76
NanoCore
d58f997b8ee320ecd735457793e3f266ad3108dcc3306274431fe34c22f903fb
NanoCore
dc5fee6bdb6b8ee6e0a8992c7d4386c965b4a4ebae89b87d349602f0d3fba207
NanoCore
+ 2'275 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200818-pzvpwrqwj2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
UPX packed file
NanoCore
Malware Config
C2 Extraction:
acokoye85.hopto.org:7600
185.140.53.15:7600
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ceffcce2144e6f7b1724f53f9812b05c6066efb4cf70ba1ff178a0f50d021d30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 29f40901e065f0610b38e98f9b0de767273e2f1759e61fdcb1115eb5c7c01b5a

NanoCore

Executable exe ceffcce2144e6f7b1724f53f9812b05c6066efb4cf70ba1ff178a0f50d021d30

(this sample)

  
Dropped by
MD5 f055c17c50311e30045993311c6bc0d4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47745/
  
Dropped by
SHA256 29f40901e065f0610b38e98f9b0de767273e2f1759e61fdcb1115eb5c7c01b5a

Comments