MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df4ac313a1013e4111037cb09097cc4a53251d144568c8bd1fd4587cb8f7c4b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df4ac313a1013e4111037cb09097cc4a53251d144568c8bd1fd4587cb8f7c4b4
SHA3-384 hash: 884f0176dbbcf5cf21ada0f1fbd29cc77a30150e4d7d5c579825fdba844eac0cb10c49f294490ccbc88f57e28d0bbe65
SHA1 hash: 99cfe77679e1e0abc487b61ac3093e1fed30a277
MD5 hash: bef5cac24c190344f2bd75ae5e12b4f5
humanhash: nevada-hotel-coffee-spaghetti
File name:LKVQYCZZkBgadMX.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:500'224 bytes
First seen:2020-07-31 06:30:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ny4gK3tWf7Ecmit5GjFi8b55L+pt95P2+0C+b+:ny4gK3ty/Gx55U75P2pw
Threatray 1'946 similar samples on MalwareBazaar
TLSH 55B4AD4DB4DA111EF042317A5EF9839BCEA6ED6B564201DB32F77587887C7082B84EB1
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: sg4.isimtescil.net
Sending IP: 93.89.232.213
From: Minisini Gabriele <sxdfzc@hotmail.com>
Subject: Order List
Attachment: ORDER LIST.ARJ (contains "LKVQYCZZkBgadMX.exe")

NanoCore RAT C2:
79.134.225.71:1985

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35839/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/404585
Signature
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 254522 Sample: LKVQYCZZkBgadMX.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 9 other signatures 2->46 7 LKVQYCZZkBgadMX.exe 7 2->7         started        11 dhcpmon.exe 4 2->11         started        process3 file4 26 C:\Users\user\AppData\...\&startupname&.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\Local\...\tmpD88A.tmp, XML 7->28 dropped 30 C:\...\&startupname&.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\Users\user\...\LKVQYCZZkBgadMX.exe.log, ASCII 7->32 dropped 48 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->48 13 RegSvcs.exe 1 13 7->13         started        18 schtasks.exe 1 7->18         started        20 RegSvcs.exe 7->20         started        22 conhost.exe 11->22         started        signatures5 process6 dnsIp7 38 79.134.225.71, 1985, 49741 FINK-TELECOM-SERVICESCH Switzerland 13->38 34 C:\Users\user\AppData\Roaming\...\run.dat, data 13->34 dropped 36 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->36 dropped 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->50 24 conhost.exe 18->24         started        file8 signatures9 process10
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/df4ac313a1013e4111037cb09097cc4a53251d144568c8bd1fd4587cb8f7c4b4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-31 06:32:07 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=35fmge5bae7eceidpsyjbf6mjjjskhiuivumrpi72rmhzohxys2a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
1717df1ab47e7e7018f932174fc590d7db4ba7ccb3d20da6effac2ca3caa9b3d
NanoCore
1c2fafc2031b76ab4caf3f91474f023321703a820209da4591192b6ca7cd09d2
NanoCore
28a44d1e835114aaab990d3319db3292b543a81a271903d06dc2eaad9b2bc793
NanoCore
2f69bbdb312d1e2421db8c0d82828693ddd494216c6549a0884bc2c188eaf167
NanoCore
59e93dfe8fd2150d34ed6d3c2124a2f77a074b0d548ff2668944ca3d3b2e15d8
NanoCore
5d37ea9d96ae208d4df3961643780b97016cf055128483ae287ad86616cbea45
NanoCore
6163f1bf34c821d55a7e532009adc95ba921b28578a58336e5b01f6c09d4dad4
NanoCore
7528449cf7a3a8d1b8d56a5207cbcff5c2afe95aa6f4258acfa858a28bd370f5
NanoCore
dedd4035d172ab0099d8803fcad64fe025d77f5520099deb74b6121a3c88e229
NanoCore
f2f3fbce922931de773ca15e8486016a85595a41fec8cb94d29e7b16bdcc2bfe
NanoCore
+ 1'936 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore persistence evasion
Link:
https://tria.ge/reports/200731-mn8twbzkte/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
79.134.225.71:1985
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df4ac313a1013e4111037cb09097cc4a53251d144568c8bd1fd4587cb8f7c4b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj 16868e24e7d2d8465100b00d0a46e00226b584bc4f2411ff675be809d086cbe3

NanoCore

Executable exe df4ac313a1013e4111037cb09097cc4a53251d144568c8bd1fd4587cb8f7c4b4

(this sample)

  
Dropped by
MD5 c7543d2ead30eb3736848ef164e8c66e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35839/
  
Dropped by
SHA256 16868e24e7d2d8465100b00d0a46e00226b584bc4f2411ff675be809d086cbe3

Comments