MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc7fd471fbfa9e9abdc8043c0ed151623675062a5373453dab344dcc895f0bb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	cc7fd471fbfa9e9abdc8043c0ed151623675062a5373453dab344dcc895f0bb3
SHA3-384 hash:	35190634b2bee14154dd0dc09955ae97558c8d8bcb57075db88484b3392a8e4d5bd09a77ec06fa6049a70e0b519b161e
SHA1 hash:	55c4c01203fa9ef2939588d2782b21f50c210b19
MD5 hash:	f7f38bfda15b80a88b575c02d6cbe186
humanhash:	beer-october-earth-kentucky
File name:	SecuriteInfo.com.BehavesLike.Win32.Generic.gc.16885
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	429'056 bytes
First seen:	2020-04-23 17:43:40 UTC
Last seen:	2022-03-23 13:44:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:fFIAycwz+zkr+Cv+zLEPdMnHs+Jy2tYz5y2Rz0tTsNZdbWVKHkYsQqt3aCM:y1l+Fw+XEPOMOa0Oz0t0bHkzb3a7
Threatray	1'087 similar samples on MalwareBazaar
TLSH	2194CFC60AE93D37C7CA51FAD41045819BB9CB23AA17FFF2E951A0F9C8533D1A916243
Reporter	SecuriteInfoCom
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.gc.16885.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-23 16:42:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zr75i4p37kpjvpoiaq6a5ukrmi3hkbrkknzukpnlgrg4zck7bozq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

140902e2a23240a35b3e72be9c0878d18c2a7b4780feab213cbcc03156804c05

NanoCore

293abba95362ff2a09dbb81d8cd4bb495da6d919950fec22ffc3880d8134eb49

NanoCore

515a2c1a3b19f636a6bf97af416d1d7c07e4780a51e4976e72bdb408f8379521

NanoCore

6163f1bf34c821d55a7e532009adc95ba921b28578a58336e5b01f6c09d4dad4

NanoCore

bc33d0face20153ffe1ebf0c3e9043894633a624d8e4214084c292e353777f46

NanoCore

cfe20c750574e668b6b88f9a0453762d5e0a82f7ba3ab879eacd85e0671035ae

NanoCore

e847719a98762bcf7422064186c2cdbb2f58000622448c3adcb6769b7cfbea68

NanoCore

ed1640ac6b131e600ada39bbd4453cabaea4375bd1308ff07bcf6630d6b38daa

NanoCore

f0fa2d366b28cfa858d00232f1073be3dbea215480c630a6489b38acdbb7af83

NanoCore

+ 1'077 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

exe cc7fd471fbfa9e9abdc8043c0ed151623675062a5373453dab344dcc895f0bb3

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/348963/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample