MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c639174f0dd193464782b116b0924d7b46c0390fa023093269fb304178c4b403. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c639174f0dd193464782b116b0924d7b46c0390fa023093269fb304178c4b403
SHA3-384 hash: fcb93fea6bc4372276dd70fe190e525139ddc3e78314c6f03e6ab5384e3a8c7b424e1051d255bab79cbd51a6ddcf65d8
SHA1 hash: 2290e384617efc4f00fcd0c979692162aef9f5d7
MD5 hash: 884a509f47d321622a549aa0ef42b26e
humanhash: pennsylvania-lamp-arizona-uranus
File name:Informacion de envo confidencial datos personales doc.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:475'648 bytes
First seen:2020-05-01 12:25:21 UTC
Last seen:2020-05-01 13:03:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:M2+HMGAiQVn0Z77uUbFUMKD2Cttb/AZ+Z:aGiU0Z77uUbFUMKDTt5
Threatray 1'137 similar samples on MalwareBazaar
TLSH 47A4C01602AC462FEAFE4678D1682580C7F5A55BE2C3F75F699080FC0C96B4DED92363
Reporter abuse_ch
Tags:ESP exe geo NanoCore


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: dharmajaya.co.id
Sending IP: 103.113.170.147
From: MRW-03016grupomrw.com <no-reply@posta.hu>
Subject: Fwd:RE: Recogida
Attachment: Informacion de envo confidencial datos personales doc.r22 (contains "Informacion de envo confidencial datos personales doc.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.43686.15125.945.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 05:03:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yy4rotyn2gjumr4cwellbesnpndmaoipuarqsmtj7myec6gewqbq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
023f0a5d97bc9513ebf82fa8bebc612322a31372e7d378844a6198b2399356a5
NanoCore
34a3ed451a024500c8d0002f55a7884bb22571baf0c71dbd412fed588d814034
NanoCore
51ece6274349758948b6af8836b151e12d2ae97b0e7806bc016dee0af026412b
NanoCore
619a5e8a0ade93b187c7f438bcb7c5bb15a33da3148176513a2c0010c7960cd4
NanoCore
63ffc920c99c00673877a870e745cd73a11892a464bb04f484d6b166db7fd1d4
NanoCore
72ec03ca08ff77ca14f3a6391fed5e716df65cbca4329a372876dbb451cbc448
NanoCore
86e7c721f7fd48bd652d9a36a32e5744bd8ae0b02701f3d3086f9c7603a31369
NanoCore
906f3fbf6a6face0d18f8e7d6b4f670df91f558cb9f4719fea860748f3964891
NanoCore
acd3a83423dcabf68bbb38ebc886f923fd1c5ba2fbf13f68e377f8895a1c5073
NanoCore
bf0ad956a210613614b06919c4663576b23ed1c415ddd5051ff858c84a1554e4
NanoCore
+ 1'127 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 0450bc9613570fe23007b9c42fb2aa94e05cdf71fdae353148934706749ed509

NanoCore

Executable exe c639174f0dd193464782b116b0924d7b46c0390fa023093269fb304178c4b403

(this sample)

  
Dropped by
MD5 5f12a60e810a9cb82cbdbb5d24919e89
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0450bc9613570fe23007b9c42fb2aa94e05cdf71fdae353148934706749ed509

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments