MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d968d93ec39951451366b025e043dcef49dffcf697e2f23a64bedf222c3ade55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d968d93ec39951451366b025e043dcef49dffcf697e2f23a64bedf222c3ade55
SHA3-384 hash: 3a603bdb421feed7a14944d05e6f7faab38819cb449c18239455b7a843374f0519764d3e54582172cf25fa2ffc0469e0
SHA1 hash: 0b19b73781ce6db1576ffc48e76794cd0c384526
MD5 hash: 83f35f784812c69575c29bad4a97ff12
humanhash: blue-kentucky-carolina-robert
File name:83f35f784812c69575c29bad4a97ff12.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:891'392 bytes
First seen:2020-07-22 06:35:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e01edf6e44755e0328837b108f7966d (7 x AgentTesla, 5 x Loki, 3 x NanoCore)
ssdeep 12288:YQ/ena6F83r+bPrsdB0L0gazjJsJNulttShwmAlQOnwmxzd1ckk9Z8Be:DaaFabDs7btHlttqwmFrc15kUE
Threatray 3'312 similar samples on MalwareBazaar
TLSH C6159E72F1934833C162DA3C8D5BA678982ABD111A297647ABF44F8C5F3E64338352D7
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore RAT C2:
harri2gudd.duckdns.org:2177
69.65.7.130:2177

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30762/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.11988.27959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394385
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249590 Sample: BgfRmgNPyG.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 112 Found malware configuration 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 Multi AV Scanner detection for dropped file 2->116 118 10 other signatures 2->118 11 BgfRmgNPyG.exe 2->11         started        14 wpasv.exe 2->14         started        16 wpasv.exe 2->16         started        18 hhsyrbs.exe 2->18         started        process3 signatures4 138 Contains functionality to inject code into remote processes 11->138 140 Writes to foreign memory regions 11->140 142 Allocates memory in foreign processes 11->142 146 2 other signatures 11->146 20 notepad.exe 4 11->20         started        24 notepad.exe 14->24         started        26 notepad.exe 1 16->26         started        144 Maps a DLL or memory area into another process 18->144 28 hhsyrbs.exe 18->28         started        30 hhsyrbs.exe 3 18->30         started        32 hhsyrbs.exe 18->32         started        process5 file6 94 C:\Users\user\AppData\Roaming\...\hhsyrbs.exe, PE32 20->94 dropped 96 C:\Users\user\...\hhsyrbs.exe:Zone.Identifier, ASCII 20->96 dropped 132 Creates files in alternative data streams (ADS) 20->132 34 hhsyrbs.exe 20->34         started        37 hhsyrbs.exe 24->37         started        39 hhsyrbs.exe 26->39         started        41 hhsyrbs.exe 28->41         started        98 C:\Users\user\AppData\...\hhsyrbs.exe.log, ASCII 30->98 dropped signatures7 process8 signatures9 120 Multi AV Scanner detection for dropped file 34->120 122 Detected unpacking (changes PE section rights) 34->122 124 Detected unpacking (creates a PE file in dynamic memory) 34->124 128 3 other signatures 34->128 43 hhsyrbs.exe 1 15 34->43         started        48 hhsyrbs.exe 34->48         started        126 Maps a DLL or memory area into another process 37->126 50 hhsyrbs.exe 37->50         started        52 hhsyrbs.exe 37->52         started        54 hhsyrbs.exe 39->54         started        56 hhsyrbs.exe 39->56         started        58 hhsyrbs.exe 41->58         started        60 hhsyrbs.exe 41->60         started        process10 dnsIp11 108 harri2gudd.duckdns.org 105.112.104.62, 2177 VNL1-ASNG Nigeria 43->108 110 69.65.7.130, 2177, 49724, 49725 ASN-GIGENETUS United States 43->110 100 C:\Program Files (x86)\...\wpasv.exe, PE32 43->100 dropped 102 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 43->102 dropped 104 C:\Users\user\AppData\Local\...\tmp6158.tmp, XML 43->104 dropped 106 C:\...\wpasv.exe:Zone.Identifier, ASCII 43->106 dropped 148 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->148 62 schtasks.exe 1 43->62         started        64 schtasks.exe 1 43->64         started        66 hhsyrbs.exe 50->66         started        69 hhsyrbs.exe 54->69         started        71 hhsyrbs.exe 58->71         started        file12 signatures13 process14 signatures15 73 conhost.exe 62->73         started        75 conhost.exe 64->75         started        130 Maps a DLL or memory area into another process 66->130 77 hhsyrbs.exe 66->77         started        79 hhsyrbs.exe 66->79         started        81 hhsyrbs.exe 69->81         started        83 hhsyrbs.exe 69->83         started        85 hhsyrbs.exe 71->85         started        87 hhsyrbs.exe 71->87         started        process16 process17 89 hhsyrbs.exe 77->89         started        92 hhsyrbs.exe 81->92         started        signatures18 134 Maps a DLL or memory area into another process 89->134 136 Sample uses process hollowing technique 89->136
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d968d93ec39951451366b025e043dcef49dffcf697e2f23a64bedf222c3ade55/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 06:37:04 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3funspwdtfiuke3gwas6aq6455e577hws7rpeotex3pselb23zkq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
3a8a04925d66b89b7cdb459aa6fc33e5132c447efcc541ab86e17b74f64a8287
NanoCore
5901a8e4a36574b8ca6cb3c899e64cdfc27395de606cd4a512431e6dd827196f
NanoCore
5e4da067908b56292fc2595a72378a091feccd8090b6ba186db4287c94a68680
NanoCore
a14f4263c002e77e88fa98957e19288e2076ad78d83c2247617f1a209d55a7a7
NanoCore
a7b022be326a3aa380e1bd55bde21fea8d7e0c59e037b7db2902c63b01bb6fda
NanoCore
b8a0c1d5363ff53775a0efa19229b82d0b4934232929aec50034a35a56f8d035
NanoCore
cc829675a0e11138d47b42b5c19e45403d7d73731aac0c97ca8b2a0e37a960f8
NanoCore
de5da27d55060988faa9fb717e8b32e374bca6d86f7eb758c3b1aa062c5aa90b
NanoCore
e0d6344a846da96882dded2616661ce7b3f4011d05935c64d14e9ccf1a9965e2
NanoCore
f4dc1e741d3aef915ff984ff1346fc85ec3d37e9e89b275bb344e25c767751da
NanoCore
+ 3'302 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200722-v5cwzvcd9a/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
NTFS ADS
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
UPX packed file
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
harri2gudd.duckdns.org:2177
69.65.7.130:2177
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d968d93ec39951451366b025e043dcef49dffcf697e2f23a64bedf222c3ade55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe d968d93ec39951451366b025e043dcef49dffcf697e2f23a64bedf222c3ade55

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/410909/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/30762/

Comments