MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe7d67f2ca207d604740c8e66d22638049ca8a0c40818ad9f1d8515d6912f16d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe7d67f2ca207d604740c8e66d22638049ca8a0c40818ad9f1d8515d6912f16d
SHA3-384 hash: 7d2fcc509973cce7598735f30f8b8c5fe0d8e055af28ca8abaf08ca0316ce9203b7ae1313db3000f65da03668356940f
SHA1 hash: b7a6439af27100b1e559cff1e72628bad9dbae2b
MD5 hash: 187f3642a49e6306ae14622b952739d9
humanhash: triple-maryland-nebraska-seven
File name:PURCHASE ORDER_PDF_____________________________________,,,,,.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:887'808 bytes
First seen:2020-07-19 09:53:55 UTC
Last seen:2020-07-19 11:11:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:DrMnqjzGYIdjMxMSo15GXacXYp3uyAjrMnnm12k4zUHjZG4YhtVftRXM7nr/V1Fe:DrvxguwcLjrlV2tVU7nJ0uLurd
Threatray 1'297 similar samples on MalwareBazaar
TLSH B7153AF7964981C5C9AF9EBDD48607600AC7EDD5F0F8A20B03967C323B727A0D88556B
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: server.dafnia.com
Sending IP: 198.1.76.245
From: dafnia@dafnia.com
Subject: PURCHASE ORDER
Attachment: PURCHASE ORDER_PDF_____________________________________,,,,,.iso (contains "PURCHASE ORDER_PDF_____________________________________,,,,,.exe")

NanoCore RAT C2:
ugorji.ddns.net:30945 (105.112.100.93)

Intelligence

File Origin
# of uploads :
2
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27783/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.59975.6372.17253.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389711
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247029 Sample: PURCHASE ORDER_PDF_________... Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 64 ugorji.ddns.net 2->64 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 12 other signatures 2->74 9 PURCHASE ORDER_PDF_____________________________________,,,,,.exe 7 2->9         started        13 wpasv.exe 2 2->13         started        15 PURCHASE ORDER_PDF_____________________________________,,,,,.exe 2 2->15         started        17 wpasv.exe 3 2->17         started        signatures3 process4 file5 56 C:\Users\user\AppData\Roaming\osrTQgvg.exe, PE32 9->56 dropped 58 C:\Users\...\osrTQgvg.exe:Zone.Identifier, ASCII 9->58 dropped 60 C:\Users\user\AppData\Local\...\tmp9E70.tmp, XML 9->60 dropped 62 PURCHASE ORDER_PDF...______,,,,,.exe.log, ASCII 9->62 dropped 78 Injects a PE file into a foreign processes 9->78 19 PURCHASE ORDER_PDF_____________________________________,,,,,.exe 1 12 9->19         started        24 schtasks.exe 1 9->24         started        26 wpasv.exe 13->26         started        28 wpasv.exe 13->28         started        38 3 other processes 13->38 30 PURCHASE ORDER_PDF_____________________________________,,,,,.exe 15->30         started        32 PURCHASE ORDER_PDF_____________________________________,,,,,.exe 15->32         started        34 PURCHASE ORDER_PDF_____________________________________,,,,,.exe 15->34         started        36 wpasv.exe 17->36         started        signatures6 process7 dnsIp8 66 ugorji.ddns.net 105.112.98.112, 30945 VNL1-ASNG Nigeria 19->66 50 C:\Program Files (x86)\...\wpasv.exe, PE32 19->50 dropped 52 C:\Users\user\AppData\Roaming\...\run.dat, data 19->52 dropped 54 C:\...\wpasv.exe:Zone.Identifier, ASCII 19->54 dropped 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->76 40 schtasks.exe 1 19->40         started        42 schtasks.exe 1 19->42         started        44 conhost.exe 24->44         started        file9 signatures10 process11 process12 46 conhost.exe 40->46         started        48 conhost.exe 42->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe7d67f2ca207d604740c8e66d22638049ca8a0c40818ad9f1d8515d6912f16d/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-18 01:27:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7z6wp4wkeb6war2azdtg2itdqbe4vcqmicayvwpr3biv22is6fwq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
007496b08a75c10d024eaa0fb68783f9a012e8f707edbd804d3268e68496d3e6
NanoCore
5b982bb28bff9233140d835bd34cb4a0ef043e2304a8ce2a934e546c1db1c475
NanoCore
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
NanoCore
786e5ea538d875c628433d6cf45abd9559ede017b01b3fca8eb3bfc6dbc66f12
NanoCore
91966b77a6acc2fd64c773d8797a505c40ecd272ebb4b44a5757990b5e4939c5
NanoCore
a26b2e637723aaf286bb3c75afa070576c0f5d334161f0f62a27ce41eaf27d37
NanoCore
be240aed297970b0e97f46ce8964784645c8bfeb7b4ffc451ab7857b7df8438f
NanoCore
c1e95a6f558510abc5490b3c48c42b49b999d45ad187691c84d9d06473a16e7a
NanoCore
cb5eb4758a41046a2f3fc084731d756aedf8ea212dc08c9bb2e6cd7f5eff6cae
NanoCore
f6418cb1cf7a9024b0a8e7f736c45f0a7e8aaa5ecd2d41241f20a56ea05ccf07
NanoCore
+ 1'287 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200719-3ehm6ksren/
Behaviour
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
ugorji.ddns.net:30945
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe7d67f2ca207d604740c8e66d22638049ca8a0c40818ad9f1d8515d6912f16d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso ad1c54a94e3f065a36e5e9d9d6319abedb20aa5d5405661b2bde0940989908ee

NanoCore

Executable exe fe7d67f2ca207d604740c8e66d22638049ca8a0c40818ad9f1d8515d6912f16d

(this sample)

  
Dropped by
MD5 445f4f3911c12c6084c0d908dc570ebb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ad1c54a94e3f065a36e5e9d9d6319abedb20aa5d5405661b2bde0940989908ee
Cape
Cape
https://www.capesandbox.com/analysis/27783/

Comments