MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6afb227c640c59b8f64fc5a16adf0a25e946cf47198992bc44044976a8c3bcf3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	6afb227c640c59b8f64fc5a16adf0a25e946cf47198992bc44044976a8c3bcf3
SHA3-384 hash:	d2db0e26b7a3197af402e519b5d21277fb90b39db320c00e1003cd6e14494105c636ec3968ac885cd063fdd9b93d0882
SHA1 hash:	5e8c11e14da942cb722f64eed2b1448572d01c46
MD5 hash:	466f032a28eb6f80932346766e51026b
humanhash:	fish-five-network-hawaii
File name:	Purchase Order 04-29-2020.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	307'200 bytes
First seen:	2020-04-30 10:26:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:02r1TZxcplto5QDtzPPey80r91kAQIBYzTe:zrrxcplKqzPPHb9SAt
Threatray	1'103 similar samples on MalwareBazaar
TLSH	BA646B692DFC00B6E2A9C1F5CFD9CC3AB024D2B33111497418D6A65A8397EC3A5C767E
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: EUR05-AM6-obe.outbound.protection.outlook.com
Sending IP: 40.92.91.19
From: The Wilde Bakery . <thewildebakery@hotmail.com>
Subject: RE: Purchase Order 04-29-2020
Attachment: Purchase Order 04-29-2020.xz (contains "Purchase Order 04-29-2020.exe")

NanoCore RAT C2:
185.244.29.248:10011

Hosted on nvpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.43073455.1590.471.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Genkryptik

Status:

Malicious

First seen:

2020-04-30 04:50:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nl5se7debrm3r5spywqwvxykexuunt2hdgezfpcearexnkgdxtzq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

4541445886b88fa17c6ffc7b9c78fa0e22a43981ee45aebae9811896cf75151a

NanoCore

4df1395b3efc60787e9fbcc5708459e77c4f45941845a8ae97c1d70c9e046a95

NanoCore

7cdf1294eb40f2a207f55cbb1a68761135500f64bb077a7f4ba9a7d3098850f1

NanoCore

b4e0ba732f6ea2f91311f1734893509a774becd8ba18a73bd3a4d387b4f4b807

NanoCore

c468bd3a3346a551c79dc218b5110c775708441ea80ac938ca9d33322cbd6a24

NanoCore

ddf157853be3dbebba9eea0db9815017a0c7d8dded210a5c291d7b0ccd2fd2be

NanoCore

de931e02ce90c509d5dcf1c3d53352809a909410c00796bdfa9f10514a37a627

NanoCore

fde2be29a0b505216464cf8aa2213fe707b4848e54f092e17e278c753c5ee6e8

NanoCore

ff0b197ef34800ad007a5caedaf485af5ae523343ce8ec106d3a253d2c0a4a35

NanoCore

+ 1'093 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

xz 7590af85a5ad05ad7a297d75a8704515b267967d8b7bcb96e45b5edd284de12b

NanoCore

exe 6afb227c640c59b8f64fc5a16adf0a25e946cf47198992bc44044976a8c3bcf3

(this sample)

Dropped by

MD5 a344a2d03c8469e7dca8e69ad21ef788

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 7590af85a5ad05ad7a297d75a8704515b267967d8b7bcb96e45b5edd284de12b

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample