MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b8897f098ca8f20031317f168e5506a26ccf0ce72dbde710bfb86181c78aa8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	3b8897f098ca8f20031317f168e5506a26ccf0ce72dbde710bfb86181c78aa8e
SHA3-384 hash:	d95a20f45dd16b692fe92f4c9e19188bea54e3071686b38a1ce3e0addd55a1e7a8fe3023c1f4dc21ac7662bf21b1d3bc
SHA1 hash:	61aa78fbf56fe8a279713ea65c74d50a91733c20
MD5 hash:	9ca70aa1dc13591328c01751e92bb103
humanhash:	cold-failed-spring-cup
File name:	9ca70aa1dc13591328c01751e92bb103.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'732'608 bytes
First seen:	2020-05-18 12:20:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	49152:iw80cTsjkWa3kYVFCChYeoGxLY+qvbH8:X8sjkEYVpboGxL5qv
Threatray	1'807 similar samples on MalwareBazaar
TLSH	EE85E022A3DDC370CB769173BF29B7016EBB3C714630B95B2F980D79A950161262D7A3
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

NanoCore RAT C2:
kcbill.ooguy.com:6331 (185.165.153.6)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

SecuriteInfo.com.Trojan.PWS.Stealer.19347.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-18 12:35:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 31 (64.52%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hoejp4eyzkhsaaytc7ywrzkqnitmz4gooln544il7odbqhdyvkha._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

10315925b522edfdb4a4fdbd067493ed9bf97796fc3dd61242de5b4bf71c6471

NanoCore

33318539cfd16ce1d6f1cd45885d39c5534b8ccc6a81a64b53fb890b96fd9cee

NanoCore

5ba0464b431c033464dcf68f7fc327759729d35621fe43d3fbe31b1a5e9b8a88

NanoCore

64f61dd41ec3a411e647f6371b8500666db3c96cc57a8cb0c16d47cceaf12aa9

NanoCore

7cb0f80624431e1745d162ee3c2a4a25744f8d8fcbd95fe3c54f94214e826e0d

NanoCore

cb0a3504bf404124f83e0f9db5453ba1f1943f73dd19196a5b7d780ad2213bec

NanoCore

d3513277194223ab378d98baeb6f4de4180f2499e3b4fb48a57e055512d173c5

NanoCore

fcde661a96a6352ae04e5127c9d1844079dbd05980564cef93bdd96069fce8a0

NanoCore

ffffd192ab79755901f078b3f7c38faa29e8d8a944466a9ea6cd0a9c69a97ee7

NanoCore

+ 1'797 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201109-7ptcfxexxs/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops startup file

NanoCore

Malware Config

C2 Extraction:

kcbill.ooguy.com:6331

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

exe 3b8897f098ca8f20031317f168e5506a26ccf0ce72dbde710bfb86181c78aa8e

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample