MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00836d300276f97a688e30b67868e308775f58e3bf1dd1adeb6f724a246de239. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 6

Intelligence 6 IOCs YARA 5 File information Comments

SHA256 hash:	00836d300276f97a688e30b67868e308775f58e3bf1dd1adeb6f724a246de239
SHA3-384 hash:	d905be9be95d18e8d2462c6b335f5f7cfb69d5358e7eb302a90e4a3f24e8d5264a04b1a734bc2ce0311da71f94169eba
SHA1 hash:	327642730b3c18d4cc081792f96a6daa34dcebe2
MD5 hash:	3c0d56234967cf72c73bb079f825dcda
humanhash:	cold-nine-fourteen-cup
File name:	7153903_Invoice_Receipt.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'304'064 bytes
First seen:	2020-06-16 05:40:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:1AHnh+eWsN3skA4RV1Hom2KXMmHav/mrTSt2PV09E5:kh+ZkldoPK8Yav/mvO2P5
Threatray	1'836 similar samples on MalwareBazaar
TLSH	1055BE0263D5C036FFAF92739B66B24556BC69290123853F13B81DB9B9701B21E3D26F
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

NanoCore RAT C2:
omojune.duckdns.org:8090 (185.165.153.45)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/10598/

Detection(s):

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Predator

Status:

Malicious

First seen:

2020-06-16 05:42:05 UTC

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=acbw2maco34xu2eogc3hq2hdbb3v6whdx4o5dlpln5zeujdn4i4q._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

393d9a4808a0379b8cd5a2af21d335d8b542a597ff60c2f79a81077eaa9606c6

NanoCore

3afb002ecadb7a5826ecf82f63063b40270f6f78e812abbcb3d9b914ae67d1a9

NanoCore

788439bb46a147272e39cdd6a8a8ecdc68dbb3317e4d058526d6feda09d64613

NanoCore

a38f26190f844b13a2bbb8cbecf4b57bf109f78b665e34b8164882d8d2cdb6ee

NanoCore

b254d7faa603b46c4c63f6d1f88d65767fb80638a000967fe527b9572b956e35

NanoCore

bcc007773b48459b0b8b0fc4c47d621f65a178d297517486f78aec91d5dc1a87

NanoCore

c1f0ba6302099b8f7ef1ce28a333764efdd308cccc761ba4fcef2af386f13090

NanoCore

e0304dda8c6bcd6e6987441aab472a1bdaf17efb0ef9906b15c33fb59042e257

NanoCore

e942c853f791a2ebd37ae59344bf8878d9a02cdcb83848a68876c49497c642d2

NanoCore

+ 1'826 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201109-5eefeaabgj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops startup file

NanoCore

Malware Config

C2 Extraction:

omojune.duckdns.org:8090

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

exe 00836d300276f97a688e30b67868e308775f58e3bf1dd1adeb6f724a246de239

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/10598/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample