MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 023f0a5d97bc9513ebf82fa8bebc612322a31372e7d378844a6198b2399356a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 023f0a5d97bc9513ebf82fa8bebc612322a31372e7d378844a6198b2399356a5
SHA3-384 hash: 88ffd6a87d9317f6ee3de92ae6b4e0a1494e62ad60e706328180a803b6fbdc8ce259ecf0e7df2e0378776583d9c811c3
SHA1 hash: dbf572bf1423dfadfc08ddd44894ed1b53f0fd55
MD5 hash: 3c786d58ffaf6a2abb01a799538c30a3
humanhash: sink-steak-cola-hamper
File name:Pelican.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:475'648 bytes
First seen:2020-05-01 14:33:02 UTC
Last seen:2020-05-01 15:55:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:yoYgTOyrIVof/6pgaQigxwIRLjB6wG8WnHjEWfQ8zUr35fqSeIFY0hBZfXZg2/jH:moXm/IRvbG8WHjEWpz44C9ZS2bCwG3U
Threatray 1'150 similar samples on MalwareBazaar
TLSH A1A4BE6546A8462FFFFE06B8D06825ACC7F9B557B2C2F74D8D9040B80C92B45DC926E3
Reporter abuse_ch
Tags:exe geo NanoCore TWN


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: dharmajaya.co.id
Sending IP: 103.113.170.147
From: 台湾鹈鹕快车 <delivery.notice@e-can.com.tw>
Subject: 您的台湾鹈鹕\快递包裹已经到货
Attachment: Pelican.arj (contains "Pelican.exe")

NanoCore RAT C2:
172.111.188.199:8829

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.43686.10721.10782.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 12:47:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ai7quxmxxskrh27yf6ul5pdbemrkge3s47jxrbckmgmleomtk2sq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
34a3ed451a024500c8d0002f55a7884bb22571baf0c71dbd412fed588d814034
NanoCore
3d9c66589409dbd885e007520427ae5c6a97a1cd71608513292f5105a0b31dc5
NanoCore
51ece6274349758948b6af8836b151e12d2ae97b0e7806bc016dee0af026412b
NanoCore
619a5e8a0ade93b187c7f438bcb7c5bb15a33da3148176513a2c0010c7960cd4
NanoCore
63ffc920c99c00673877a870e745cd73a11892a464bb04f484d6b166db7fd1d4
NanoCore
72ec03ca08ff77ca14f3a6391fed5e716df65cbca4329a372876dbb451cbc448
NanoCore
86e7c721f7fd48bd652d9a36a32e5744bd8ae0b02701f3d3086f9c7603a31369
NanoCore
906f3fbf6a6face0d18f8e7d6b4f670df91f558cb9f4719fea860748f3964891
NanoCore
bf0ad956a210613614b06919c4663576b23ed1c415ddd5051ff858c84a1554e4
NanoCore
c639174f0dd193464782b116b0924d7b46c0390fa023093269fb304178c4b403
NanoCore
+ 1'140 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip c3ff019801eb35b8a4b0a21b58ad7f20740d437b29abff0a7bc49f2f3fc47afe

NanoCore

Executable exe 023f0a5d97bc9513ebf82fa8bebc612322a31372e7d378844a6198b2399356a5

(this sample)

  
Dropped by
MD5 ce98dc4d540a7997d47878baae3c5378
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c3ff019801eb35b8a4b0a21b58ad7f20740d437b29abff0a7bc49f2f3fc47afe

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments