MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 5 Comments

SHA256 hash: 70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19
SHA3-384 hash: 9853caaad02031dce8f8cf9f6d45746eba81fc3f03e50bb59eb717fa0e99e26243b4c0563a52cb61ce3f0d232f734afd
SHA1 hash: 71ca9deefc3a678bf7fde895978ff5ff5a67691a
MD5 hash: 82c01db6ccaa1c602b77c59b3ed64d71
humanhash: seven-robert-social-green
File name:IePZajh9fm9DACV.exe
Download: download sample
Signature NanoCore
File size:370'688 bytes
First seen:2020-06-30 05:27:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:f4u8Lx5ggJec3PZEemlbtPsuh2eOBlf1J9ZcDCVmUoWlIxfT9Tl:f4u8d5gKec/ZVmZVV2e2vCWVTHo
TLSH CB74E018372D6837CEAC05F64482654007F5A2E23993F3D99DCDB0E826D6BDD1F12AA7
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: p3plwbeout14-06.prod.phx3.secureserver.net
Sending IP: 173.201.192.192
From: Gordon O'brien <Gordon.Obrien@g-obrien.co.uk>
Reply-To: Gordon O'brien <markhilton@blueyonder.co.uk>
Subject: L65190MH2004GOI148838
Attachment: IePZajh9fm9DACV.iso (contains "IePZajh9fm9DACV.exe")

NanoCore RAT C2:
u870797.nvpn.to:3119 (185.244.29.158)

Pointing to nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 33
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/16767/
ClamAV SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
CERT.PL MWDB Detection:nanocore
Link: https://mwdb.cert.pl/sample/70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Kryptik
First seen:2020-06-30 01:41:03 UTC
AV detection:23 of 30 (76.67%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:nanocore
Link: https://tria.ge/reports/200630-x3w19ngbfx/
Tags:keylogger trojan stealer spyware family:nanocore evasion
Config extraction:u870797.nvpn.to:3119
VirusTotal:Virustotal results 31.94%

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments