MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51ece6274349758948b6af8836b151e12d2ae97b0e7806bc016dee0af026412b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	51ece6274349758948b6af8836b151e12d2ae97b0e7806bc016dee0af026412b
SHA3-384 hash:	62b4f95bfae16de126806272b64a475106ec7ea15a987b649793f3411de9a3f3eb73529b50162ec5a5fa788861ee3f14
SHA1 hash:	c997e313898deac7078b3e43439e4cb5aaf7779a
MD5 hash:	cdffac03c7fa1a3cfb6865955a631890
humanhash:	mike-video-happy-don
File name:	New-Inquiry 01052020.scr
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	578'048 bytes
First seen:	2020-05-01 12:50:26 UTC
Last seen:	2020-05-01 13:50:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:jMapp1aBJvCooWWBBcH3y6udkk4FGfENMAOYY:ZpLsCootBzMyE2D
Threatray	1'140 similar samples on MalwareBazaar
TLSH	06C48DA3365D4F7AEEDD95BAF228508087B6EE3AF382F75D25D0706F09B27518811432
Reporter	abuse_ch
Tags:	NanoCore nVpn RAT scr

abuse_ch

Malspam distributing NanoCore:

HELO: labex.net
Sending IP: 212.162.151.137
From: kamlesh kumar <kamlesh@labex.net>
Subject: Attention needed as per Order
Attachment: New-Inquiry 01052020.zip (contains "New-Inquiry 01052020.scr")

NanoCore RAT C2:
smartslaves.hopto.org:40007 (79.134.225.24)

Pointing to nvpn:

% Information related to '79.134.225.0 - 79.134.225.63'

% Abuse contact for '79.134.225.0 - 79.134.225.63' is 'abuse@anmaxx.net'

inetnum: 79.134.225.0 - 79.134.225.63
netname: BASEL-HOSTING-225-0
country: CH
admin-c: AM38880-RIPE
tech-c: AM38880-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
created: 2016-04-17T00:42:52Z
last-modified: 2016-04-18T06:23:19Z
source: RIPE
remarks: abuse-c AIS166-RIPE
org: ORG-AGIS12-RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.43686.28671.28056.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-01 14:14:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=khwomj2djf2yssfwv6ednmkr4ewsv2l3bz4anpabnxxav4bgievq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

1a0501b88c80241a5f72a29afaf75f5c60cd06a8e5e6d89f37f369d662f422b0

NanoCore

5d37ea9d96ae208d4df3961643780b97016cf055128483ae287ad86616cbea45

NanoCore

7cdf1294eb40f2a207f55cbb1a68761135500f64bb077a7f4ba9a7d3098850f1

NanoCore

9c62e75f2dc168671bddfe8cad2b102197c10d9039d8917a7637585ff603dbdd

NanoCore

9fc240db7a0cd883c35e2cbfc6e8dcb2bb3921514dbce65aef46711de4a06a6a

NanoCore

c4f0b3610d084b670fbcd8d5405153b208907ac348a190df4cfa41b1dc4f029c

NanoCore

d11f8cd2987a718cc9d0bd9de289ee8d90555115cb9d03fdc8f0b930898e4a75

NanoCore

d49621996ba7b43c8d7cb35403ccbb13c50f1a1dddc9492ce7a74abd8597a115

NanoCore

ddf157853be3dbebba9eea0db9815017a0c7d8dded210a5c291d7b0ccd2fd2be

NanoCore

+ 1'130 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip df438c4bbf20acdf17c9a267e7c26173a8d9155a477b752e7fd29e364d7e7c2f

NanoCore

exe 51ece6274349758948b6af8836b151e12d2ae97b0e7806bc016dee0af026412b

(this sample)

Dropped by

MD5 413436b0daebc27142fb8a7242e01717

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 df438c4bbf20acdf17c9a267e7c26173a8d9155a477b752e7fd29e364d7e7c2f

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample