MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4174e1702d046eb696fb13f9d7be26c7b519179ac94212ce61de97ed586cf10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	e4174e1702d046eb696fb13f9d7be26c7b519179ac94212ce61de97ed586cf10
SHA3-384 hash:	6e3873c81c3f6658b0fd62ae41c2d1c277c9a7c37a13d44f468c067600f543f7f2749036b4c142e06ea2be5cd36962e0
SHA1 hash:	15a69ba1025557f3e9efc1c898e44dea1dff5130
MD5 hash:	bb18d890356392ddf87214800ce5d539
humanhash:	stream-timing-winter-timing
File name:	PROOF OF PAYMENT.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	499'200 bytes
First seen:	2020-07-07 09:23:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:+aNGDxxGQU3vebw+DFHzSeCO09LigNbAEMp31gI81o3tlHFcq07k7gfaO+XK7+Z:XQg73veU+BHtCO3Lg7o3tllcqdsL+X
Threatray	1'467 similar samples on MalwareBazaar
TLSH	AAB4AEB032B59FA6C63A0FF4911424404FF03A9B652DC2A86EC560DB55F6F488E95FB3
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: stpauls.stpaulsl.local
Sending IP: 97.82.28.20
From: ASETLINE FINANCE<asetline.za@gmail.com>
Reply-To: <asetline.za@gmail.com>
Subject: PROOF OF PAYMENT
Attachment: PROOF OF PAYMENT.rar (contains "PROOF OF PAYMENT.exe")

NanoCore RAT C2:
nansedd.duckdns.org:2133 (194.5.99.13)

Pointing to nVpn:

% Information related to '194.5.99.0 - 194.5.99.255'

% Abuse contact for '194.5.99.0 - 194.5.99.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.99.0 - 194.5.99.255
netname: INTER_CLOUD_SERVICES_RUSSIA
admin-c: ICTR1-RIPE
tech-c: ICTR1-RIPE
org: ORG-ICR2-RIPE
country: RU
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-07-20T20:42:53Z
last-modified: 2020-07-04T13:20:18Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/22146/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file in the %AppData% subdirectories

Creating a file in the Program Files subdirectories

DNS request

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending a TCP request to an infection source

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/e4174e1702d046eb696fb13f9d7be26c7b519179ac94212ce61de97ed586cf10/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-07 09:25:07 UTC

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4qlu4fyc2bdow2lpwe7z267cnr5vdelzvskcclhgdxux5vmgz4ia._file

Verdict:

malicious

Label(s):

nanocorerat

hawkeyekeylogger

emotet

NanoCore

24fe76a4e6cd5623f2326d2f43de09b9b6f4de236e80ea5aca50b76da888c0af

NanoCore

3ec241071c7e4652915d56d349936696967e54a34d4943a51bdb20a91893331b

NanoCore

500993334540fe89b080d37fcfe6c1a46745e668232cca7f672925674b38761c

NanoCore

68101d145825fc980210f1f56638011d98eeaf5c53fb734b62a80dac6489f2e3

NanoCore

90474a0270106b33e3208a63041d2e4d013b1d2b415bf3bf44e9a5ab685d0531

NanoCore

a4d6c0a909365bd89fdf812fbb75f92edc06fcd2a9a7b3c6d9b553ffe124858f

NanoCore

be1a45ae85bb530727a5e96d3dc19eeb0542991ddb5a747b93665b4599c70ea0

NanoCore

c70637a7eb05b36175b101211cda02663eeefff3ea85b0742c5be6f7badd0a75

NanoCore

e1bf95bd96a59075ac24eec7c47b3142361ea79c1fb68e2b6039212fba523449

NanoCore

+ 1'457 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

keylogger trojan stealer spyware family:nanocore persistence evasion

Link:

https://tria.ge/reports/200707-1dkyjcv3ax/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run entry to start application

NanoCore

Malware Config

C2 Extraction:

nansedd.duckdns.org:2133

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/