MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed544c300a04ddf77c6537f3cb78177f12c9a23e62d06189a19eee966caf9631. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 6

Intelligence 6 IOCs YARA 5 File information Comments

SHA256 hash:	ed544c300a04ddf77c6537f3cb78177f12c9a23e62d06189a19eee966caf9631
SHA3-384 hash:	deda28e03755a9e75d5a73388ee9178e9b738072994156687c45ad0b4f1b2e464f6a974d8316d0997e6dc901ebd20db2
SHA1 hash:	0defa687fc8e1defaf119e3f9862d6e284f77821
MD5 hash:	7aa582c66104d87e4a1bf3f3bdb86d5c
humanhash:	triple-apart-butter-cat
File name:	nxdd.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	681'472 bytes
First seen:	2020-06-24 05:23:07 UTC
Last seen:	2020-06-24 05:52:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	6144:EhKjv1bhJ7SI7zfANCiFp/KRr4En3Fvs7Pp1kukrbxuX4RLTznyosS6nr:EgxD6Fp/KRU831IB1RqxuIRfA
Threatray	1'666 similar samples on MalwareBazaar
TLSH	76E4E37169646125CF782A3D85701CE1C9AD9CB0DB2982CF5AE3B17A03F46CD5B43CB6
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: semf07.mfg.siteprotect.com
Sending IP: 64.26.60.170
From: Audrey Nelson <info@srus.ca>
Reply-To: prepre080@vivaldi.net
Subject: RESENDING: Quotation Needed
Attachment: PO23062020.xlsm

NanoCore RAT payload URL:
http://habibme.net/nxdd.exe

NanoCore RAT C2:
bright1.awsmppl.com:4777 (79.134.225.103)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/13378/

Detection(s):

SecuriteInfo.com.MSIL.Packed.SmartAssembly.AY.13078.UNOFFICIAL

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/ed544c300a04ddf77c6537f3cb78177f12c9a23e62d06189a19eee966caf9631/

Threat name:

ByteCode-MSIL.Trojan.SmartAssembly

Status:

Malicious

First seen:

2020-06-24 05:25:04 UTC

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

21355c7eb596e21724d0a59545db0faf6219b858986cb5b0162201f54288ebb8

NanoCore

2f003ca84db5f82fcf36040f7d97baae64e0582e830c8c1cea65c32c3d5b21d5

NanoCore

483338a656b2a7bf095d9bf3ca950419f217acdb9812b3d0013ccc13785f305e

NanoCore

55aefb224ad3c9381b95d6c131b58141aeea9e59046eae8b53968a274108cfa8

NanoCore

5a6fe34b789cafaa0352cd5544f51ac4086401c13da8925578aa260f8d7fab34

NanoCore

602b19f259171ac577fb9d67952442c71809b4b3977484115883d7ed6be067a3

NanoCore

6d6f5f18b3a61dc596b10fbca17969aa9e8b2d771af6b9084977e0dfa70ff6e6

NanoCore

963ef1f1d728673b7769357ef250a53cf202abf7748fb780158e8b642aa63ba8

NanoCore

ed6ea055c622adab41b5eba73b4d556c4c843b9e77e21933297ca0ce972ce5c4

NanoCore

+ 1'656 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200624-wnt91r3lt6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Drops startup file

Loads dropped DLL

Executes dropped EXE

NanoCore

Malware Config

C2 Extraction:

bright1.awsmppl.com:4777
gold080.ooguy.com:4777

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/