MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0a9cde7ebed2daf4306e0e76a341e6c4293bf9904ed464f5bfcb462dc0999d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0a9cde7ebed2daf4306e0e76a341e6c4293bf9904ed464f5bfcb462dc0999d0
SHA3-384 hash: 3b595055214cbc444a89b1751e8c8dc99bcfa09808c4a5af4d61424b85eb174fe82f8c1213f4a08b09bf62fb7e159e05
SHA1 hash: d6721472493a5d36856eb309d6d34e3ae3efa3bc
MD5 hash: 43facde504e374535293d4cdf8596825
humanhash: sweet-jupiter-blossom-victor
File name:New Doc 11722586280708221000427225862807082210004.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:329'728 bytes
First seen:2020-08-04 13:16:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:ZCxV8fcOHWhHUxUjB1lmMnTFIXuGt6O0DO9C7eZM6+C++zA/BoP0P+EbW:ZCL8pUjBfmMeXudNO9XZ12+zPia
Threatray 1'116 similar samples on MalwareBazaar
TLSH F764D01E568C8BDFC5B5C87CD0B294BF2BB1B43529A2E75E658841E61D43382DE8334B
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: linux01.performans.com
Sending IP: 217.195.206.28
From: j.taner@freskotasarim.com.tr
Subject: PO
Attachment: PO AO-20051.7z (contains "New Doc 11722586280708221000427225862807082210004.exe")

NanoCore RAT C2:
185.244.30.10:3310

Hosted on nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU4
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-07-28T21:04:34Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Agenttesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38684/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a file
Deleting a recently created file
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Forced shutdown of a system process
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/409424
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256990 Sample: New Doc 1172258628070822100... Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Sigma detected: Scheduled temp file as task from temp location 2->75 77 8 other signatures 2->77 12 New Doc 11722586280708221000427225862807082210004.exe 2 2->12         started        16 RegAsm.exe 2 2->16         started        process3 file4 67 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 12->67 dropped 95 Maps a DLL or memory area into another process 12->95 18 New Doc 11722586280708221000427225862807082210004.exe 12->18         started        21 RegAsm.exe 8 12->21         started        25 conhost.exe 16->25         started        signatures5 process6 dnsIp7 79 Maps a DLL or memory area into another process 18->79 27 New Doc 11722586280708221000427225862807082210004.exe 18->27         started        30 RegAsm.exe 2 18->30         started        69 185.244.30.10, 3310, 49724, 49728 DAVID_CRAIGGG Netherlands 21->69 63 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 21->63 dropped 65 C:\Users\user\AppData\Local\...\tmp2565.tmp, XML 21->65 dropped 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->81 32 schtasks.exe 1 21->32         started        file8 signatures9 process10 signatures11 93 Maps a DLL or memory area into another process 27->93 34 New Doc 11722586280708221000427225862807082210004.exe 27->34         started        37 RegAsm.exe 2 27->37         started        39 conhost.exe 32->39         started        process12 signatures13 83 Maps a DLL or memory area into another process 34->83 41 New Doc 11722586280708221000427225862807082210004.exe 34->41         started        44 RegAsm.exe 34->44         started        process14 signatures15 87 Maps a DLL or memory area into another process 41->87 46 New Doc 11722586280708221000427225862807082210004.exe 41->46         started        49 RegAsm.exe 41->49         started        process16 signatures17 97 Maps a DLL or memory area into another process 46->97 51 New Doc 11722586280708221000427225862807082210004.exe 46->51         started        54 RegAsm.exe 46->54         started        56 RegAsm.exe 46->56         started        process18 signatures19 85 Maps a DLL or memory area into another process 51->85 58 New Doc 11722586280708221000427225862807082210004.exe 51->58         started        61 RegAsm.exe 51->61         started        process20 signatures21 89 Writes to foreign memory regions 58->89 91 Maps a DLL or memory area into another process 58->91
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d0a9cde7ebed2daf4306e0e76a341e6c4293bf9904ed464f5bfcb462dc0999d0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 13:17:04 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2cu43z7l5uw26qyg4dtwuna6nrbjhp4zatwumt237s2gfxajthia._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
2f003ca84db5f82fcf36040f7d97baae64e0582e830c8c1cea65c32c3d5b21d5
NanoCore
65603c7a88beb93205d2012ca8d63dba310fc0f7f91fc81300734ee3b2eb3f10
NanoCore
6aa3059db34fb36662907183cf3780aac4b4c00e663f261a59aeebc00c03a5c0
NanoCore
75830575168e1d024a8d0c86764cb9b88eea3c79f0c4a24fb39d4e94fd2c42d7
NanoCore
819b7cdae5437e09dddc2263080df829d2e8ba725f4364bfddf0cd10eb848692
NanoCore
a37f501c2d65d191828fe20bf148436de23201f6fe852d59dfa67aaa5fc206e8
NanoCore
d0a8b39bc4bd58191a4b6db1a71621e7d9e2e124c05ad01922aafb9eba72205a
NanoCore
e33ef485c574d639eae34cd252d97aa78c17718190c98a92f7b6dc5a5fc0cd69
NanoCore
f5ccc5ce755b5273935290c41751582654c3f4783c07df8cf91dd783cd3afc1b
NanoCore
f86a114e73dd0f15bc888e3db1477aa4c92d333bb236c4d3d1f49e72858bb80d
NanoCore
+ 1'106 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200804-gw6fjezree/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
Uses the VBS compiler for execution
Reads user/profile data of web browsers
NanoCore
Malware Config
C2 Extraction:
185.244.30.10:3310
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0a9cde7ebed2daf4306e0e76a341e6c4293bf9904ed464f5bfcb462dc0999d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

f5d8ead2f87564818b10ac7c73a1d6d8

NanoCore

Executable exe d0a9cde7ebed2daf4306e0e76a341e6c4293bf9904ed464f5bfcb462dc0999d0

(this sample)

  
Dropped by
MD5 f5d8ead2f87564818b10ac7c73a1d6d8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38684/

Comments