MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb0a3504bf404124f83e0f9db5453ba1f1943f73dd19196a5b7d780ad2213bec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	cb0a3504bf404124f83e0f9db5453ba1f1943f73dd19196a5b7d780ad2213bec
SHA3-384 hash:	05a5a6c0c8bfd62f581470a8014b98e96daa2bb70011b2418c392015804ed029742d733e3424e455f5c13d4652095ca2
SHA1 hash:	0e0d028b1aba27b241f8031b96c490d90eb265ce
MD5 hash:	8eddfc73cc9afba09b1cbc455ba23cd4
humanhash:	jig-emma-north-kentucky
File name:	8eddfc73cc9afba09b1cbc455ba23cd4.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'769'472 bytes
First seen:	2020-05-18 12:57:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	49152:lw80cTsjkWaaLk+YhtSlc05LXJyRrpbL0c:S8sjkcEyc4L5u9L0
Threatray	1'808 similar samples on MalwareBazaar
TLSH	6F85E02273DFC365DF669073BF59B7412EBB7C220630B9DB5E880D78A950261162C7A3
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

NanoCore RAT C2:
79.134.225.7:1800

Hosted at nVpn:

% Information related to '79.134.225.0 - 79.134.225.63'

% Abuse contact for '79.134.225.0 - 79.134.225.63' is 'abuse@anmaxx.net'

inetnum: 79.134.225.0 - 79.134.225.63
netname: BASEL-HOSTING-225-0
country: CH
admin-c: AM38880-RIPE
tech-c: AM38880-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
created: 2016-04-17T00:42:52Z
last-modified: 2016-04-18T06:23:19Z
source: RIPE
remarks: abuse-c AIS166-RIPE
org: ORG-AGIS12-RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

SecuriteInfo.com.Trojan.PWS.Stealer.19347.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-18 13:36:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zmfdkbf7ibasj6b6b6o3krj3uhyzip3t3umrs2s3pv4avurbhpwa._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

241f09feda09dc33b86e23d317bc2425f4d43b91221815caa5eb055a9a97be74

NanoCore

33318539cfd16ce1d6f1cd45885d39c5534b8ccc6a81a64b53fb890b96fd9cee

NanoCore

4094559d24715a75e57c5067f731013d1f22e3dc343b75eca3eb710f4eebe08d

NanoCore

5ba0464b431c033464dcf68f7fc327759729d35621fe43d3fbe31b1a5e9b8a88

NanoCore

7cb0f80624431e1745d162ee3c2a4a25744f8d8fcbd95fe3c54f94214e826e0d

NanoCore

99e30892ad3ffaafd44af0a0ee9b8e9f1a61914d686fc9792baade292bbf5361

NanoCore

d3513277194223ab378d98baeb6f4de4180f2499e3b4fb48a57e055512d173c5

NanoCore

fcde661a96a6352ae04e5127c9d1844079dbd05980564cef93bdd96069fce8a0

NanoCore

ffffd192ab79755901f078b3f7c38faa29e8d8a944466a9ea6cd0a9c69a97ee7

NanoCore

+ 1'798 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-h6ckgdxyga/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

NanoCore

Malware Config

C2 Extraction:

79.134.225.7:1800

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

exe cb0a3504bf404124f83e0f9db5453ba1f1943f73dd19196a5b7d780ad2213bec

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample