MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f304855a11aedd539b9bdb686b1d5781e0d7080560f9520c6bda8586947b3285. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f304855a11aedd539b9bdb686b1d5781e0d7080560f9520c6bda8586947b3285
SHA3-384 hash: 83a9baf327ccaaba95f938f36d0486a01488d151d2f423767a3782a0d60dcc7b650a2add7401bb80bc1c2507f429900c
SHA1 hash: aec9563e3781e6c25e0c34fcd04c9ed506cb906c
MD5 hash: b18575c87134177caa9d6fe02ed9c243
humanhash: bluebird-beer-yellow-vegan
File name:b18575c87134177caa9d6fe02ed9c243.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:820'224 bytes
First seen:2020-07-22 06:26:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00cfe1cece4ca5ab4917a4bbdc80ffdc (10 x MassLogger, 6 x AgentTesla, 4 x NanoCore)
ssdeep 12288:IwBUPwzUNE1UYSfrhzPKli+esLpzYHVhI/2W8fxPsKAma71/bJMxd4PI:1wwMkUYMrhzPMeYsjZpuKAmaRbixB
Threatray 3'339 similar samples on MalwareBazaar
TLSH 2B05AF16E3D048F3F177263D5D1B97A4AD2ABE413D289E476BE42C0C9F39641383A1A7
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore RAT C2s:
harri2gudd.duckdns.org:2177 (105.112.104.62)
69.65.7.130:2177

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30749/
Detection(s):
Win.Malware.Daqc-6598201-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394355
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249559 Sample: 4PC7c1Bnua.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 125 Found malware configuration 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 Multi AV Scanner detection for dropped file 2->129 131 11 other signatures 2->131 12 4PC7c1Bnua.exe 2->12         started        15 wpasv.exe 2->15         started        17 wpasv.exe 2->17         started        19 bjhshjkf.exe 2->19         started        process3 signatures4 139 Writes to foreign memory regions 12->139 141 Allocates memory in foreign processes 12->141 143 Queues an APC in another process (thread injection) 12->143 145 Contains functionality to detect sleep reduction / modifications 12->145 21 notepad.exe 4 12->21         started        25 notepad.exe 15->25         started        27 notepad.exe 1 17->27         started        147 Maps a DLL or memory area into another process 19->147 29 bjhshjkf.exe 19->29         started        31 bjhshjkf.exe 3 19->31         started        process5 file6 95 C:\Users\user\AppData\...\bjhshjkf.exe, PE32 21->95 dropped 97 C:\Users\...\bjhshjkf.exe:Zone.Identifier, ASCII 21->97 dropped 133 Creates files in alternative data streams (ADS) 21->133 33 bjhshjkf.exe 21->33         started        36 bjhshjkf.exe 25->36         started        38 bjhshjkf.exe 27->38         started        40 bjhshjkf.exe 29->40         started        99 C:\Users\user\AppData\...\bjhshjkf.exe.log, ASCII 31->99 dropped signatures7 process8 signatures9 113 Multi AV Scanner detection for dropped file 33->113 115 Detected unpacking (changes PE section rights) 33->115 117 Detected unpacking (creates a PE file in dynamic memory) 33->117 121 3 other signatures 33->121 42 bjhshjkf.exe 1 15 33->42         started        47 bjhshjkf.exe 33->47         started        119 Maps a DLL or memory area into another process 36->119 49 bjhshjkf.exe 36->49         started        51 bjhshjkf.exe 36->51         started        53 bjhshjkf.exe 38->53         started        55 bjhshjkf.exe 2 38->55         started        57 bjhshjkf.exe 40->57         started        59 bjhshjkf.exe 40->59         started        process10 dnsIp11 109 harri2gudd.duckdns.org 105.112.104.62, 2177 VNL1-ASNG Nigeria 42->109 111 69.65.7.130, 2177, 49723, 49724 ASN-GIGENETUS United States 42->111 101 C:\Program Files (x86)\...\wpasv.exe, PE32 42->101 dropped 103 C:\Users\user\AppData\Roaming\...\run.dat, data 42->103 dropped 105 C:\Users\user\AppData\Local\...\tmp812E.tmp, XML 42->105 dropped 107 C:\...\wpasv.exe:Zone.Identifier, ASCII 42->107 dropped 149 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->149 61 schtasks.exe 1 42->61         started        63 schtasks.exe 1 42->63         started        65 bjhshjkf.exe 49->65         started        68 bjhshjkf.exe 53->68         started        70 bjhshjkf.exe 57->70         started        file12 signatures13 process14 signatures15 72 conhost.exe 61->72         started        74 conhost.exe 63->74         started        123 Maps a DLL or memory area into another process 65->123 76 bjhshjkf.exe 65->76         started        78 bjhshjkf.exe 65->78         started        80 bjhshjkf.exe 68->80         started        82 bjhshjkf.exe 68->82         started        84 bjhshjkf.exe 70->84         started        86 bjhshjkf.exe 70->86         started        process16 process17 88 bjhshjkf.exe 76->88         started        91 bjhshjkf.exe 80->91         started        signatures18 135 Maps a DLL or memory area into another process 88->135 137 Sample uses process hollowing technique 88->137 93 bjhshjkf.exe 91->93         started        process19
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f304855a11aedd539b9bdb686b1d5781e0d7080560f9520c6bda8586947b3285/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 06:28:06 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mcikwqrv3ovhg433nugwhkxqhqnocafmd4veddl3kcynfd3gkcq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
22f529d68ea62a081c6f7c33637bd901e5775c0fd48f7934334607c350e2fff2
NanoCore
3daffeafb139eb3750166a874f498f706ec9e47fc0527a36b1e041f755f8417a
NanoCore
5d0fe828d087e58c38d1724aeced199e4fb352535621e09ab4875a2f960ddabb
NanoCore
5d293a9a2243b20beefc7ad8d7f4ca4a91a4bf67eca2496be9c22bc815eec4a1
NanoCore
6a6c8408705966321edec330105b7ac9aecaaddbd1f4cef07045bc7b9c1dea47
NanoCore
8ce8110efa9cc5bf1a4eeb4fc7bbfe4481a70a8240cdefdaef0f98dd6eba4df2
NanoCore
c6dacd6d13d4fc3761f548db8529d6d2a08b0894b26f148b8e8758fe721fb4cd
NanoCore
de5da27d55060988faa9fb717e8b32e374bca6d86f7eb758c3b1aa062c5aa90b
NanoCore
e0b4bd94f0a84e21e5bd9c173ed19d44e1e1959ecf09f4b4e7ce047bf6c287e5
NanoCore
fc8bc522fb18470390b7cedc3de1e1d75be638b4a6de0a25ba7416391b79785d
NanoCore
+ 3'329 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
upx evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200722-x4wdm88n42/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
UPX packed file
NanoCore
Malware Config
C2 Extraction:
harri2gudd.duckdns.org:2177
69.65.7.130:2177
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f304855a11aedd539b9bdb686b1d5781e0d7080560f9520c6bda8586947b3285

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe f304855a11aedd539b9bdb686b1d5781e0d7080560f9520c6bda8586947b3285

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/30749/
  
URLhaus
https://urlhaus.abuse.ch/url/410909/
  
Delivery method
Distributed via web download

Comments