MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c21dfa284b8375b585e7d3933846c3d61337a2e0ed66cd69f1bfa81a40e4b10b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 1 File information 2 Yara 5 Comments

SHA256 hash: c21dfa284b8375b585e7d3933846c3d61337a2e0ed66cd69f1bfa81a40e4b10b
SHA3-384 hash: d06747697f62828114dbe10e315961e807b54bfb176d2932590635264c5dff2c9e429879be1fc035d22da094d85136df
SHA1 hash: 8a5a8ce765fff4f376593da8e4e6ab09b6c071b2
MD5 hash: f31268ff6a851fb8c759cf68e102ec45
humanhash: angel-floor-floor-twelve
File name:PAYMENT NOTIFICATION_29-06-2020.exe
Download: download sample
Signature NanoCore
File size:1'004'566 bytes
First seen:2020-06-30 06:33:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3
ssdeep 24576:6NA3R5drXdtDmNbZ33FdmaM02ZzoBHhev4wwMny1bO:z5bD8bZHFM0MoB+4RKyA
TLSH A7251202F7C584B2E6731D360A25E720B97CBD605E35CA6FB7D44D6DAA31091A234BB3
Reporter @abuse_ch
Tags:exe NanoCore RAT


Twitter
@abuse_ch
NanoCore RAT C2:
iutkcom.duckdns.org:54986 (172.94.47.73)

Intelligence


Mail intelligence No data
# of uploads 1
# of downloads 31
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/16827/
ClamAV PUA.Win.Downloader.Aiis-6803892-0
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
CERT.PL MWDB Detection:nanocore
Link: https://mwdb.cert.pl/sample/c21dfa284b8375b585e7d3933846c3d61337a2e0ed66cd69f1bfa81a40e4b10b/
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Nanobot
First seen:2020-06-30 06:35:04 UTC
AV detection:25 of 31 (80.65%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:nanocore
Link: https://tria.ge/reports/200630-wrvkyf6ean/
Tags:persistence keylogger trojan stealer spyware family:nanocore evasion
Config extraction:iutkcom.duckdns.org:54986
katrinapastternak.duckdns.org:54986
VirusTotal:Virustotal results 43.66%

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe c21dfa284b8375b585e7d3933846c3d61337a2e0ed66cd69f1bfa81a40e4b10b

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments