MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86e7c721f7fd48bd652d9a36a32e5744bd8ae0b02701f3d3086f9c7603a31369. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86e7c721f7fd48bd652d9a36a32e5744bd8ae0b02701f3d3086f9c7603a31369
SHA3-384 hash: 52218b82980f9686b2d3f957abb27d9079dd32dbafd894ce0655985ebcc311f84fc2b267a6b5ad8039f8b8d5f3351daf
SHA1 hash: 50a463e366f0a763739b21eff0cdb21111454e50
MD5 hash: 8c8511c9f1d403bc6fe92b029fb54a11
humanhash: leopard-lion-idaho-grey
File name:Doc.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:477'696 bytes
First seen:2020-05-01 15:09:06 UTC
Last seen:2020-05-01 15:55:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:8vgTOOaI6WfSUvqjXry+BXQmk3xDUBOnvTitX1REUOp14yBR3WukzGYB9M6PWhXt:iWaUYf/kZUIvT+EUdZyhXL3bznuxw
Threatray 1'148 similar samples on MalwareBazaar
TLSH 6CA4AF9926E8463BE7DE06BDD07924D0C7F4B96B62C3FF8E89B041B80D93741E842567
Reporter abuse_ch
Tags:exe geo MKD NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: dharmajaya.co.id
Sending IP: 103.113.170.147
From: Полиција <invitations@e-can.com.tw>
Subject: Последната полициска покана пред апсењето
Attachment: Doc.iso (contains "Doc.exe")

NanoCore RAT C2:
172.111.188.199:8829

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.43686.13883.32385.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 15:36:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q3t4oipx7vel2zjnti3kglsxis6yvyfqe4a7huyin6ohma5dcnuq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
023f0a5d97bc9513ebf82fa8bebc612322a31372e7d378844a6198b2399356a5
NanoCore
2bb06f09556b4531015208c97a20dd3b56d6b82b2d3f49a353dc65be55da4623
NanoCore
34a3ed451a024500c8d0002f55a7884bb22571baf0c71dbd412fed588d814034
NanoCore
51ece6274349758948b6af8836b151e12d2ae97b0e7806bc016dee0af026412b
NanoCore
619a5e8a0ade93b187c7f438bcb7c5bb15a33da3148176513a2c0010c7960cd4
NanoCore
63ffc920c99c00673877a870e745cd73a11892a464bb04f484d6b166db7fd1d4
NanoCore
72ec03ca08ff77ca14f3a6391fed5e716df65cbca4329a372876dbb451cbc448
NanoCore
906f3fbf6a6face0d18f8e7d6b4f670df91f558cb9f4719fea860748f3964891
NanoCore
bf0ad956a210613614b06919c4663576b23ed1c415ddd5051ff858c84a1554e4
NanoCore
c639174f0dd193464782b116b0924d7b46c0390fa023093269fb304178c4b403
NanoCore
+ 1'138 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso d4d85233fc3fc9f41440322c310e0d4641b555836a0581affdd74b598db07f9a

NanoCore

Executable exe 86e7c721f7fd48bd652d9a36a32e5744bd8ae0b02701f3d3086f9c7603a31369

(this sample)

  
Dropped by
MD5 563b3ecd1d843b551785ade4090ba1e3
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d4d85233fc3fc9f41440322c310e0d4641b555836a0581affdd74b598db07f9a

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments