MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14537de8568175e9905dbca8728e46383b969a4df71c245f59454e6abf2056e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14537de8568175e9905dbca8728e46383b969a4df71c245f59454e6abf2056e0
SHA3-384 hash: 53c1a54937294df48be421f84b5e1c1b7c6548fc5335deba6dd9fe928d2184c537b0ae219964848a56c7fdbdc829d320
SHA1 hash: 91e23b0b0ba4324c3513c1afecba75241f2b6585
MD5 hash: 042289d1085036c643080af4fb48f4c0
humanhash: network-hawaii-vegan-bakerloo
File name:RSPL418819-20 RS.2360.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:440'320 bytes
First seen:2020-08-18 13:14:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:gizhlONrFQIr3fiBp/iq3ELxnOP4EcmZHAFaxmVmie9bngPFRAV/:JhANhQIrvU1B3464EcmZHAFaxmVmie9M
Threatray 1'136 similar samples on MalwareBazaar
TLSH 9794D04C3490B1AFE5F95EB5AC241C2847A2231F420FFE0749579AE497DEAE3CE444A7
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: gmail.com
Sending IP: 81.171.9.143
From: Ms. Dakshata Gawade <chomi0605@panpacific.co.kr>
Reply-To: Ms. Dakshata Gawade <surnit9041@gmail.com>
Subject: Re: Regarding Payment
Attachment: RSPL418819-20 RS.2360.rar (contains "RSPL418819-20 RS.2360.exe")

NanoCore RAT C2:
masterwork.ydns.eu

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47897/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
DNS request
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/14537de8568175e9905dbca8728e46383b969a4df71c245f59454e6abf2056e0/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 13:16:07 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=crjx32cwqf26tec5xsuhfdsgha5zngsn64ocix2zivhgvpzak3qa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
013e28fb236b074fae60d3252c602924a886ad4c311310dbb19f85ba1c5e2425
NanoCore
115ac22b81d02e9b30179404484045af66fe01218a17cad538fa3f6d66819f39
NanoCore
5c0f2a6b96505881c5cdb0c3c931ace0d2de9725e3094246973291ad5ca9d0e4
NanoCore
6aa3059db34fb36662907183cf3780aac4b4c00e663f261a59aeebc00c03a5c0
NanoCore
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
NanoCore
88ae38556e157d0f34780d0764240a8f5be7c503b4c4c173403cd2be59cd2916
NanoCore
a94d174668553fbeb3c27e3194f9cef33d0d24ca56891658911bfdd7451ae9f8
NanoCore
be240aed297970b0e97f46ce8964784645c8bfeb7b4ffc451ab7857b7df8438f
NanoCore
d0a8b39bc4bd58191a4b6db1a71621e7d9e2e124c05ad01922aafb9eba72205a
NanoCore
e33ef485c574d639eae34cd252d97aa78c17718190c98a92f7b6dc5a5fc0cd69
NanoCore
+ 1'126 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200818-nm4zvwfrbx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
masterwork.ydns.eu:2310
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/14537de8568175e9905dbca8728e46383b969a4df71c245f59454e6abf2056e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar e85162351615ec71e569d940b65959343ff76491b615367286b4cfabc3fa6455

NanoCore

Executable exe 14537de8568175e9905dbca8728e46383b969a4df71c245f59454e6abf2056e0

(this sample)

  
Dropped by
MD5 59b891bdfed93176883d6671dc4ecd48
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47897/
  
Dropped by
SHA256 e85162351615ec71e569d940b65959343ff76491b615367286b4cfabc3fa6455

Comments