MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e33ef485c574d639eae34cd252d97aa78c17718190c98a92f7b6dc5a5fc0cd69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e33ef485c574d639eae34cd252d97aa78c17718190c98a92f7b6dc5a5fc0cd69
SHA3-384 hash: 873b911efe928370fd0bf466494b2b9bc79f28193ed1267bf9fc7cfcf05091c866ccf9e95b60e7bcea45f3ea53f0a720
SHA1 hash: f53591409c538d7e4f5b45f42d014d42ad003ad0
MD5 hash: 5e90e2d465e0f2a3f2495ef59c4b53d1
humanhash: west-september-colorado-yankee
File name:IMG74693969444.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:272'896 bytes
First seen:2020-07-24 10:53:05 UTC
Last seen:2020-07-24 12:08:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:LiMqGD/8vAmWalDTKqicfWupCpfV5FliAsbgH:valHKqi0pCp/F8
Threatray 1'244 similar samples on MalwareBazaar
TLSH 6144F106D5BC4E42C48E67FC4D98042036BCAD2FE9BFD3A71AE8E46D4793EC549D025A
Reporter abuse_ch
Tags:exe GoDaddy NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: a2nlsmtp01-04.prod.iad2.secureserver.net
Sending IP: 198.71.225.38
From: yehia <yehia.shalaan@masterscaf.com>
Reply-To: store@givmail.com
Subject: payment
Attachment: IMG74693969444.7z (contains "IMG74693969444.exe")

NanoCore RAT C2:
185.244.30.10:3310

Hosted on nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-HU
country: HU
descr: Budapest, Hungary
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-07-17T11:52:57Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32168/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.52323.2919.16617.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun with Startup directory
Unauthorized injection to a system process
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/397284
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 250878 Sample: IMG74693969444.exe Startdate: 24/07/2020 Architecture: WINDOWS Score: 100 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus detection for dropped file 2->107 109 10 other signatures 2->109 13 IMG74693969444.exe 2 2->13         started        17 HJdyTuap.exe 2->17         started        19 RegAsm.exe 2 2->19         started        21 2 other processes 2->21 process3 file4 97 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 13->97 dropped 129 Drops PE files to the startup folder 13->129 131 Maps a DLL or memory area into another process 13->131 23 IMG74693969444.exe 1 13->23         started        26 RegAsm.exe 1 11 13->26         started        30 HJdyTuap.exe 17->30         started        32 RegAsm.exe 17->32         started        34 RegAsm.exe 17->34         started        36 RegAsm.exe 17->36         started        38 conhost.exe 19->38         started        40 conhost.exe 21->40         started        42 conhost.exe 21->42         started        signatures5 process6 dnsIp7 117 Maps a DLL or memory area into another process 23->117 44 IMG74693969444.exe 23->44         started        47 RegAsm.exe 2 23->47         started        99 185.244.30.10, 3310, 49736, 49737 DAVID_CRAIGGG Netherlands 26->99 91 C:\Users\user\AppData\Roaming\...\run.dat, data 26->91 dropped 93 C:\Users\user\AppData\Local\...\tmp81CB.tmp, XML 26->93 dropped 95 C:\Program Files (x86)\...\wpasv.exe, PE32 26->95 dropped 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->119 49 schtasks.exe 1 26->49         started        51 schtasks.exe 1 26->51         started        53 RegAsm.exe 30->53         started        55 RegAsm.exe 30->55         started        file8 signatures9 process10 signatures11 125 Maps a DLL or memory area into another process 44->125 57 IMG74693969444.exe 44->57         started        60 RegAsm.exe 44->60         started        62 conhost.exe 49->62         started        64 conhost.exe 51->64         started        process12 signatures13 123 Maps a DLL or memory area into another process 57->123 66 IMG74693969444.exe 57->66         started        69 RegAsm.exe 57->69         started        process14 signatures15 111 Maps a DLL or memory area into another process 66->111 71 IMG74693969444.exe 66->71         started        74 RegAsm.exe 66->74         started        process16 signatures17 121 Maps a DLL or memory area into another process 71->121 76 IMG74693969444.exe 71->76         started        79 RegAsm.exe 71->79         started        process18 signatures19 127 Maps a DLL or memory area into another process 76->127 81 IMG74693969444.exe 76->81         started        84 RegAsm.exe 76->84         started        process20 signatures21 101 Maps a DLL or memory area into another process 81->101 86 IMG74693969444.exe 81->86         started        89 RegAsm.exe 81->89         started        process22 signatures23 113 Writes to foreign memory regions 86->113 115 Maps a DLL or memory area into another process 86->115
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e33ef485c574d639eae34cd252d97aa78c17718190c98a92f7b6dc5a5fc0cd69/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-24 10:55:05 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4m7pjbofotldt2xdjtjffwl2u6gbo4mbsdeyvexxw3ofux6azvuq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
2d29dd2850f00233df8fe98eafa855483b92bf224f0fa023cd3eb39982c15e7c
NanoCore
3425b3af968c358eb243c6a14a34e3019b9fac1261a3ceab452392e606189205
NanoCore
396b6c41ac9807ef01fb5b3be94474857c85cbad51c0b21855431552fe1876a0
NanoCore
5e3140ed7841e6893114a0d4d9c5ee239736449aaba20d2c8939a051e5ef21c5
NanoCore
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
NanoCore
8490e3d97ac25a9e1e87a0270a30076cc38b75ca705e28d5c78b93968b0231fb
NanoCore
99e8759e702f1bec43e3646d6c217523a4062918226541899ba710f37c51a12c
NanoCore
bd969441be871b85681f3e4e9b933c311ab6d9a9360822f6411c1d2edbae4f26
NanoCore
d2d355ef39f411f81c87e1c3e6feef02a0dccacf3cc37aa583e97ab9403e2ee8
NanoCore
f0cbd144abefbde7656a8ab6733b337165ea5929fd1829f179e8a852275d059f
NanoCore
+ 1'234 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200724-frrfqppzaj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
NanoCore
Malware Config
C2 Extraction:
185.244.30.10:3310
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e33ef485c574d639eae34cd252d97aa78c17718190c98a92f7b6dc5a5fc0cd69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

7z d07d9907fc362026b64487d94fce8bf9ca89ed9623f2cb41f1593694ac76a4e4

NanoCore

Executable exe e33ef485c574d639eae34cd252d97aa78c17718190c98a92f7b6dc5a5fc0cd69

(this sample)

  
Dropped by
MD5 e9da119248fd6775d25412a1719ce9c2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/32168/
  
Dropped by
SHA256 d07d9907fc362026b64487d94fce8bf9ca89ed9623f2cb41f1593694ac76a4e4

Comments