MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd889953ad0e22f6fb8601866cf6d12b1a4d3027e2e885836510a503a2892b7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	fd889953ad0e22f6fb8601866cf6d12b1a4d3027e2e885836510a503a2892b7d
SHA3-384 hash:	cc2e6e8c7d70a4a8eedf732caee33cc8119e2ca2cccfe63458196ef1c2c56a87866f940e6cf0d254dafadbd7c2e4bbed
SHA1 hash:	7e2807a4896222c471c13e58f91ff09ab3bee01a
MD5 hash:	0ed0171e991e66378a7283c6d30042a0
humanhash:	six-nevada-four-pennsylvania
File name:	1217_07_06_20_REF2.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	799'744 bytes
First seen:	2020-07-06 06:30:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9151eb11c7b89540ea983bb97309fe65 (6 x AgentTesla, 5 x Loki, 2 x NanoCore)
ssdeep	12288:PZ7GXbYoWBPb0B+Thxy2B7Sb4fyhfHD7JYEAiPtOS7br08cYdaalyRjM5Z3P6q:xSRWJpTm2obqoRPrw8cgyY5ZL
Threatray	2'812 similar samples on MalwareBazaar
TLSH	F3059E56E2D04833D1AB263C9D1B576CA935BE313E285A477BF41C4CAF3869334292E7
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: yahoo.co.in
Sending IP: 45.143.222.165
From: Andy <multimarmer@yahoo.com>
Subject: Re:STATEMENT OF ACCOUNT
Attachment: 1217_07_06_20_REF2.pdf.zip (contains "1217_07_06_20_REF2.exe")

NanoCore RAT C2:
wazzy.ddns.net:1716 (194.5.99.24)

Pointing to nVpn:

% Information related to '194.5.99.0 - 194.5.99.255'

% Abuse contact for '194.5.99.0 - 194.5.99.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.99.0 - 194.5.99.255
netname: INTER_CLOUD_SERVICES_RUSSIA
admin-c: ICTR1-RIPE
tech-c: ICTR1-RIPE
org: ORG-ICR2-RIPE
country: RU
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-07-20T20:42:53Z
last-modified: 2020-07-04T13:20:18Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/20801/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% directory

Launching a process

Deleting a recently created file

DNS request

Using the Windows Management Instrumentation requests

Launching a service

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Enabling autorun with Startup directory

Unauthorized injection to a system process

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/fd889953ad0e22f6fb8601866cf6d12b1a4d3027e2e885836510a503a2892b7d/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-06 06:32:06 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7wejsu5nbyrpn64gagdgz5wrfmne2mbh4luila3fccsqhiujfn6q._file

Verdict:

malicious

Label(s):

nanocorerat

hawkeyekeylogger

emotet

NanoCore

24fe76a4e6cd5623f2326d2f43de09b9b6f4de236e80ea5aca50b76da888c0af

NanoCore

3ec241071c7e4652915d56d349936696967e54a34d4943a51bdb20a91893331b

NanoCore

68101d145825fc980210f1f56638011d98eeaf5c53fb734b62a80dac6489f2e3

NanoCore

7ff651aa9581a2cb706e1aeb7957f06a70a6718abd0a6449a039006e9eff06dc

NanoCore

90474a0270106b33e3208a63041d2e4d013b1d2b415bf3bf44e9a5ab685d0531

NanoCore

a4d6c0a909365bd89fdf812fbb75f92edc06fcd2a9a7b3c6d9b553ffe124858f

NanoCore

be1a45ae85bb530727a5e96d3dc19eeb0542991ddb5a747b93665b4599c70ea0

NanoCore

c70637a7eb05b36175b101211cda02663eeefff3ea85b0742c5be6f7badd0a75

NanoCore

e1bf95bd96a59075ac24eec7c47b3142361ea79c1fb68e2b6039212fba523449

NanoCore

+ 2'802 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200706-zcnrlvt3zn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of SetThreadContext

Checks whether UAC is enabled

UPX packed file

NanoCore

Malware Config

C2 Extraction:

wazzy.ddns.net:1716
194.5.99.24:1716

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/