MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b70fdc39cc7849e555d2b7cdd0984ecd259bbfb1a8985d975f44c402360d5ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	2b70fdc39cc7849e555d2b7cdd0984ecd259bbfb1a8985d975f44c402360d5ce
SHA3-384 hash:	533183c6896843723cc7e27074391f4f31bb5bc2b9b8e0ad008257e751305d7836007880bafbf5f1f3a187abaf8bf279
SHA1 hash:	188a455ff7dabdb7f154d7f0ac27ab73beaff7b1
MD5 hash:	8cc39a8f7bc20068baba2280d4fab6c3
humanhash:	ceiling-twenty-alpha-stream
File name:	Order_9330.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	332'800 bytes
First seen:	2020-04-29 18:18:45 UTC
Last seen:	2020-04-29 19:04:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:T6q4GY5YYaSLNzSiR4GiMs8riPIZtY7ps4r5iJmgO6AN8jsjZGbdAc/12:NSJzSiWGiMriwBAAJXYGbdbY
Threatray	1'603 similar samples on MalwareBazaar
TLSH	306402B8E60C237EC57E4A7A4482CD49327DA05EE182F7981DD73AAD458FBC468C46C3
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: alkuhaimi.com
Sending IP: 209.58.149.66
From: S Kumar. R <rud-division@alkuhaimi.com>
Subject: Order
Attachment: Order_9330.zip (contains "Order_9330.exe")

NanoCore RAT C2:
dealbaba.ddns.net:4040 (79.134.225.73)

Hosted on nvpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.33742726.30736.8973.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-28 23:41:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fnyp3q44y6cj4vk5fn6n2cme5tjfto73dkeylwlv6rgeai3a2xha._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

47d0a3fd48775f1ebe0290c493c5f485581e766c1ee4e6d2c7f1dbc077645079

NanoCore

47e1f71185f193d015191dec0fd981e6591780a336115fe14638b74031531ac8

NanoCore

782999121ca089a150f34c3527a7e1c1a5f9c59a73034e3bf6ca166c590a47f3

NanoCore

ab63d78243683e8f00bd7a00b3e0ba6867a86bec1abb6b67b24ae3ff9cb65ac9

NanoCore

d1a314902f558ae79e891b785eec7e87002ed607411e8dfc85b5fbb2f9ef9dc0

NanoCore

d83d25cdeec57d8bdb0ae70c21d60f32645a2fa21f3f7792774b5ad3bffce9b5

NanoCore

d9568ff73274781296415519aa548621099b45cc19d68c2d9ce59ce9bee384a7

NanoCore

f17b34a25b38f624ce1dc8c5f36cefbf3a989b77714f4c566c085c56f03c8fbb

NanoCore

fcc68c78e81eab01751ffe299b6213e6dbe994a6d197367000371e82a4ac0a41

NanoCore

+ 1'593 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip c76e585c052ba24e2d8d9e4213b1ead50366e6f828a8d66d9cb6b00b96c14c37

NanoCore

exe 2b70fdc39cc7849e555d2b7cdd0984ecd259bbfb1a8985d975f44c402360d5ce

(this sample)

Dropped by

MD5 697b8cbb348cf618e57079059613ac60

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 c76e585c052ba24e2d8d9e4213b1ead50366e6f828a8d66d9cb6b00b96c14c37

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample