MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 894476db154bd989bb2969e4c749314058cd602d64071963972a432394340edb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	894476db154bd989bb2969e4c749314058cd602d64071963972a432394340edb
SHA3-384 hash:	68b2322c246a90e993f0ca7d7c0a7d004db35f26f355dd80896157b217396e0284852c2652282f779e60cb1a53550cae
SHA1 hash:	2da8af659b4ebf63248486990dc8a7aa432d1252
MD5 hash:	5366a9338858d740e934c76ff4d4093d
humanhash:	jupiter-timing-september-oscar
File name:	AWB-FedxDetails.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	303'104 bytes
First seen:	2020-03-26 05:39:44 UTC
Last seen:	2020-03-26 07:35:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:+FP5syT0pER/d4tNBIbxeS5hqgZR8JZJxzEx/rFoY+3TPequkgTNaZzB+Bp:+PvswiNBIbxeS5hRcZjzUZo7Kino
Threatray	1'221 similar samples on MalwareBazaar
TLSH	70541250FA68101FC71A68FC4660E0A753B48F72B2E1F7FD28D978A16816FDD868174B
Reporter	jarumlus
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.DownLoader33.21586.12428.19068.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-03-26 03:58:00 UTC

AV detection:

27 of 30 (90.00%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rfchnwyvjpmytozjnhsmosjribmm2ybnmqdrsy4xfjbshfbub3nq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

15f16edea0ca4f3b0a43c1b4e232a30294bd25c3f4971cdaccabcfda45dfa9c9

NanoCore

17976b00ac98edbfed8a513caeb5d757c334ed3e1f94712212b5b7a4ac1f226e

NanoCore

290fb785e3b59196b2c3d474822f7dd18eaa9d13526c19b9f5dfd51ba3cb4756

NanoCore

5106eff2035cae4bc844f175750857ecffe095b70f7872ddd212bedce7776e80

NanoCore

58dea698e2c5b2a9310769bd735db939a1b6ed8cc80fdbc3aa5f0f6e25a074fc

NanoCore

6ece00da69537d12d933cfc710ef0be2f76ee8d39c111ba1726bd47c8fb8acb1

NanoCore

98cfc2f76ee8cefd9aa0b9be4c317800223f93ffb6e63577e8a9466693585515

NanoCore

b47fd439f5f744bb6e3dead9204f558d2536dd82ceab7d1df41dbbe184fa9c2f

NanoCore

c166a4a1899462e20516825c87f9545cdc7b24654d1f18b864da4ee641af5ace

NanoCore

+ 1'211 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample