MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da8f7980c887ac05dd4c2e53c50c17bebe208be1758d6b7879144efb53d5a963. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da8f7980c887ac05dd4c2e53c50c17bebe208be1758d6b7879144efb53d5a963
SHA3-384 hash: 7531dc3e444db0e58ef0c90fedf76b24b45d10403cd47d3541696bc4f26194e9faf6809b3e74fed3b53848217faf96e9
SHA1 hash: df3b1951c269379a5a3d88e2ed923fe744e1c764
MD5 hash: 852ecb84ca7a03733a9f0d91e4943dc5
humanhash: florida-mirror-carbon-mountain
File name:New Order.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:749'056 bytes
First seen:2020-07-29 06:55:22 UTC
Last seen:2020-07-29 13:52:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ef47e85c79ee608837cc415c05c43b (15 x AgentTesla, 5 x NanoCore, 5 x Loki)
ssdeep 12288:DRXtpnVH9Az44BnvOCDhzcl0UdKndi2bnXS4DAMT7o/0ttSVbL94NKg:Dfd8z4byilBdlGXPDAMT7e0sqZ
Threatray 2'923 similar samples on MalwareBazaar
TLSH 15F4AF22A2E17B33D1672E789C1B57649BFABE002E3459452FFC1C4C9F397813866297
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: fdx.co.th
Sending IP: 95.211.211.232
From: Cee Purchasing Department <cee@fdx.co.th>
Subject: New Order
Attachment: New Order.gz (contains "New Order.exe")

NanoCore RAT C2:
79.134.225.121:7583

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34279/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.19347.10936.15784.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401413
Signature
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 252939 Sample: New Order.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 14 other signatures 2->96 10 New Order.exe 2->10         started        13 dhcpmon.exe 2->13         started        15 New Order.exe 2->15         started        17 dhcpmon.exe 2->17         started        process3 signatures4 104 Maps a DLL or memory area into another process 10->104 19 New Order.exe 1 14 10->19         started        24 New Order.exe 10->24         started        26 dhcpmon.exe 13->26         started        28 dhcpmon.exe 13->28         started        30 New Order.exe 15->30         started        32 New Order.exe 3 15->32         started        34 dhcpmon.exe 17->34         started        36 dhcpmon.exe 3 17->36         started        process5 dnsIp6 88 79.134.225.121, 49729, 49730, 49735 FINK-TELECOM-SERVICESCH Switzerland 19->88 78 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->78 dropped 80 C:\Users\user\AppData\Roaming\...\run.dat, data 19->80 dropped 82 C:\Users\user\AppData\Local\...\tmp2A55.tmp, XML 19->82 dropped 84 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->84 dropped 102 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->102 38 schtasks.exe 1 19->38         started        40 schtasks.exe 1 19->40         started        42 dhcpmon.exe 26->42         started        45 New Order.exe 30->45         started        86 C:\Users\user\AppData\...86ew Order.exe.log, ASCII 32->86 dropped 47 dhcpmon.exe 34->47         started        file7 signatures8 process9 signatures10 49 conhost.exe 38->49         started        65 2 other processes 38->65 51 conhost.exe 40->51         started        106 Maps a DLL or memory area into another process 42->106 108 Sample uses process hollowing technique 42->108 53 dhcpmon.exe 42->53         started        55 dhcpmon.exe 42->55         started        57 New Order.exe 45->57         started        59 New Order.exe 45->59         started        61 dhcpmon.exe 47->61         started        63 dhcpmon.exe 47->63         started        process11 process12 67 dhcpmon.exe 53->67         started        70 New Order.exe 57->70         started        72 dhcpmon.exe 61->72         started        signatures13 98 Maps a DLL or memory area into another process 67->98 100 Sample uses process hollowing technique 67->100 74 dhcpmon.exe 72->74         started        76 dhcpmon.exe 72->76         started        process14
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/da8f7980c887ac05dd4c2e53c50c17bebe208be1758d6b7879144efb53d5a963/
Threat name:
Win32.Trojan.DataStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 23:23:27 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3khxtagiq6walxkmfzj4kdaxx27cbc7bowgww6dzcrhpwu6vvfrq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
175bdb11453e65abc7c2d64a37b69d0bea771353c4eefbaa0d3ffb649292e2fc
NanoCore
3a8a04925d66b89b7cdb459aa6fc33e5132c447efcc541ab86e17b74f64a8287
NanoCore
428f5b46f88ee3bd21454e7dcb2a98182ca7b1e5240599f061231fc6d946a440
NanoCore
48f66677fec3c6d3734c439ed9b2fd29cb26a155e8ccb28f30c1b2b65a4878d8
NanoCore
4936f703c3766d5968297c3e682fc5be8a3af59fa6557502b5e29af7a4f8c925
NanoCore
4de6466841226eea95bef6fe6868d1c3d5808d8fafa3449e333f0b6d03253c84
NanoCore
4ffdfd5cf9dc5f01ef37c75d1ca13d8e59afe458c0a9f7db7b6e8954d8eb6fdb
NanoCore
5901a8e4a36574b8ca6cb3c899e64cdfc27395de606cd4a512431e6dd827196f
NanoCore
be991fbee477b265767ac176f6e0c35de51c9616d58a4e72b1b2929d292fe0c1
NanoCore
d19e690275e1eec487544552366accd109567893c79b3634cef31515b9a0a19b
NanoCore
+ 2'913 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200729-kwr24mcyfa/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
UPX packed file
NanoCore
Malware Config
C2 Extraction:
:7583
79.134.225.121:7583
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/da8f7980c887ac05dd4c2e53c50c17bebe208be1758d6b7879144efb53d5a963

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

gz d64f3fe86ab044dbdf24676d567b7b22934f789624b5381350d7811130897bc2

NanoCore

Executable exe da8f7980c887ac05dd4c2e53c50c17bebe208be1758d6b7879144efb53d5a963

(this sample)

  
Dropped by
MD5 05cd9204d4a720268a67e7c069f592e7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34279/
  
Dropped by
SHA256 d64f3fe86ab044dbdf24676d567b7b22934f789624b5381350d7811130897bc2

Comments