MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f001ad70af35a98383e07a785b7a6298fe510b1713633aecedc4d3429f6b39b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f001ad70af35a98383e07a785b7a6298fe510b1713633aecedc4d3429f6b39b5
SHA3-384 hash: c442590393d0c6d084278ecfed6a30749a575e1623d96c8fb497b99d6651482f740426bf5a2855f0a8b293b4793fef90
SHA1 hash: 1560229551a7eccc6f3b3b126f1d073a02d5d596
MD5 hash: ba212ccebf25389f333f0920c64f3736
humanhash: nineteen-robert-beryllium-saturn
File name:20201229_QUA_20Y0252,pdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:753'152 bytes
First seen:2020-12-29 07:09:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:7uzmzkzyzEUb/E03t+VfprbaFVdtHqnBp1Bq6lzQzpViD8le:7PLMw/HHKpjq6tQ
Threatray 1'431 similar samples on MalwareBazaar
TLSH D8F4D02162A52F46E43D67B994E4500143F1B947E736FBBEBCA960CE09A1B40877373B
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: morethanall.com
Sending IP: 172.96.137.118
From: Shantika <sales@morethanall.com>
Subject: Required quotation for our purchase Enquiry ref - 20Y0252
Attachment: 20201229_QUA_20Y0252,pdf.iso (contains "20201229_QUA_20Y0252,pdf.exe")

NanoCore RAT C2:
billionaire.ddns.net

Intelligence

File Origin
# of uploads :
1
# of downloads :
559
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20201229_QUA_20Y0252,pdf.exe
Verdict:
Malicious activity
Analysis date:
2020-12-29 07:11:13 UTC
Tags:
rat nanocore
Link:
https://app.any.run/tasks/1fdbfd99-a936-4429-a744-cd27be5c36fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109686/
Detection(s):
SecuriteInfo.com.ArtemisBA212CCEBF25.3031.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/571181
Signature
Allocates memory in foreign processes
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334655 Sample: 20201229_QUA_20Y0252,pdf.exe Startdate: 29/12/2020 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for domain / URL 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 11 other signatures 2->49 8 20201229_QUA_20Y0252,pdf.exe 7 2->8         started        12 MSBuild.exe 2 2->12         started        process3 file4 29 C:\Users\user\AppData\...\ThzIZLQWOmXxj.exe, PE32 8->29 dropped 31 C:\...\ThzIZLQWOmXxj.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\AppData\Local\...\tmp7744.tmp, XML 8->33 dropped 35 C:\Users\...\20201229_QUA_20Y0252,pdf.exe.log, ASCII 8->35 dropped 51 Writes to foreign memory regions 8->51 53 Allocates memory in foreign processes 8->53 55 Injects a PE file into a foreign processes 8->55 14 MSBuild.exe 11 8->14         started        19 schtasks.exe 1 8->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 39 billionaire.ddns.net 185.140.53.135, 3734, 49718 DAVID_CRAIGGG Sweden 14->39 37 C:\Users\user\AppData\Roaming\...\run.dat, data 14->37 dropped 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->41 23 schtasks.exe 1 14->23         started        25 conhost.exe 19->25         started        file8 signatures9 process10 process11 27 conhost.exe 23->27         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f001ad70af35a98383e07a785b7a6298fe510b1713633aecedc4d3429f6b39b5/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-12-29 05:01:55 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6aa224fpgwuyha7apj4fw6tctd7fccyxcnrtv3hnytjufh3lhg2q._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
56a37f303bc905ace197941dcc0519f3880baffe10c6d3ecfc80bbff1aae9059
NanoCore
6469be5316d7e9872af2bf870f8d64f322b22ac77772612d2b8f5a985c38d2e0
NanoCore
74c4b80dac4f93d030f93df8f89b5c5321330a5b28243bd2020eb64f0b3bed62
NanoCore
965b61084fc5dc0ae159bb0060c74b6d313e0a6c658b6c71d371d60dd41ed1c9
NanoCore
9a010009db0cef15b26b8c0698dcabc904aff124a484334bbba646c6f0a3084e
NanoCore
9b407d80c4f60b65f75a4dd1c05f10d08a59087ce14f64cb8fe9d51032c37b0b
NanoCore
a26b2e637723aaf286bb3c75afa070576c0f5d334161f0f62a27ce41eaf27d37
NanoCore
bf72228e33b1514ef0c252e9963d6472e99466656b6125c8a560a9e66e9d6d17
NanoCore
d5bb983da618a305cbc11c595a5f6726860dd74d0d7b5bdb2b3e500dfc1424ed
NanoCore
de057b593516b8235125f2513f090ffc60359e6707207492f7bd56bc67d35cd8
NanoCore
+ 1'421 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201229-sxkgdqhj9x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NanoCore
Malware Config
C2 Extraction:
billionaire.ddns.net:3734
Unpacked files
SH256 hash:
f001ad70af35a98383e07a785b7a6298fe510b1713633aecedc4d3429f6b39b5
MD5 hash:
ba212ccebf25389f333f0920c64f3736
SHA1 hash:
1560229551a7eccc6f3b3b126f1d073a02d5d596
Link:
https://www.unpac.me/results/939cf6e0-bc56-4131-933d-ff0456800cc9/
SH256 hash:
7add54c57ebead1ced0fdd86f1e8fbfb34d9c3f42ed0a8f1dd01c2d7fbdd22df
MD5 hash:
c92b6d01725e94682d4d1f8722d08f90
SHA1 hash:
22fedb39b80a6909343bcdf5ba846e8435841155
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/939cf6e0-bc56-4131-933d-ff0456800cc9/
Parent samples :
4132de9c0b4c5c604bed2261b999848573b44a5208482a4847c9b6b2f2ff729b
1c42bd094eeb6df10d17cb2fc16a7e167e38ee01d273f7c31ddf4775e015d59c
02a438010c995c0587226655a3e2420af6d60c1f09696753c5ef28c7b72c1f4d
a85f88d35b117dc6b63fc3ab6f9e6ca21a605032ddaf343f1ad6b32b86aa344e
8192d560e89e235f4734cf4ad8fa3a9a91abd7eb83b589c4d471efc5d6361f1d
ec230920e758500130af04a1e4231e62ffcbdfab7e548c865e84fb037ad42eb0
9a010009db0cef15b26b8c0698dcabc904aff124a484334bbba646c6f0a3084e
509de021147bf9903bae027143b68b38d92901161454cd8058ad56e39fcd143b
f001ad70af35a98383e07a785b7a6298fe510b1713633aecedc4d3429f6b39b5
ea8ea37e535102a446a8c2f88ef6a3c9277e996a32144449cde729bda80e16f2
SH256 hash:
44106a7753790a12c522849b3f7da238337bd0342e5664021e25f79b2705ae9a
MD5 hash:
d43e8dcc8f8b23c144f820eaa9bdbee4
SHA1 hash:
41faa61eb543ac1386e59ef1e3c485a19458ff68
Link:
https://www.unpac.me/results/939cf6e0-bc56-4131-933d-ff0456800cc9/
SH256 hash:
365ed52cf78cf3c91362273e876e5de2bb0f05ca11a603f65c8b03061ab9b77a
MD5 hash:
a48533890b04731efa56c5f92e865808
SHA1 hash:
567dfaaeac04c303accf9872b5ba958cf8c2b105
Link:
https://www.unpac.me/results/939cf6e0-bc56-4131-933d-ff0456800cc9/
SH256 hash:
5973ca4fcc6d532285fb028847160051199c0b0b5136c3dab42ca0b8ff263319
MD5 hash:
5ddee0e4977a7dde2a6c30dcd616255a
SHA1 hash:
903d6b6068730ca2464141b345def8a15117bad6
Link:
https://www.unpac.me/results/939cf6e0-bc56-4131-933d-ff0456800cc9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f001ad70af35a98383e07a785b7a6298fe510b1713633aecedc4d3429f6b39b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso 29286fb23a3d44bbfa8fca00f1e64a4dbd1d72f7c407ad7a4870ccee38378938

NanoCore

Executable exe f001ad70af35a98383e07a785b7a6298fe510b1713633aecedc4d3429f6b39b5

(this sample)

  
Dropped by
MD5 a39f360ffe57ba4b077ecad68384ee1d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 29286fb23a3d44bbfa8fca00f1e64a4dbd1d72f7c407ad7a4870ccee38378938
Cape
Cape
https://www.capesandbox.com/analysis/109686/

Comments