MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2edc352a2a157c1ac51e314039ca894958635959d905900755992eed6a13256. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2edc352a2a157c1ac51e314039ca894958635959d905900755992eed6a13256
SHA3-384 hash: 5234b7a3ac78cc9738d3486cd19cb2a1402d5d926bbd248e04eebe70896e4971c810ab864992ae39f2471a30314fe8b4
SHA1 hash: b3a4dbe544498e01340dacdeacc9284929a582c3
MD5 hash: bb1b92cadb37426ac0d5e8e62cff705a
humanhash: eight-oven-uniform-fifteen
File name:Doc013.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:568'320 bytes
First seen:2020-03-23 12:09:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 54b0318c17711f82b010f55a964017e1 (1 x NanoCore)
ssdeep 12288:L5DHFNcbA0NdFYFL/rItPaPzt6EiG2GKcy5aHPr5pRXA+esTCmvNA:L5hibA6wHQPaPztWG2GKgHD5pj2mm
Threatray 1'059 similar samples on MalwareBazaar
TLSH D2C423C5E71006BCFE9A097E508C32987E388CA97D32D7130716CB4A7DA7327789675A
Reporter Racco42
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.AsprotectSke-6
Create hunting rule

PUA.Win.Packer.AsprotectSke-1
Create hunting rule

PUA.Win.Packer.AsprotectSke-4
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

PUA.Win.Packer.AsprotectSke-5
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-03-24 02:12:42 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lw4guvcufl4dlcr4mkahhfisskymnmvtwifsadvlgjo5vvbgjla._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
netwirerc
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
02b10c6690bd0ed3e9b675553519df78a7ede63a398d68304043eacb691fd305
NanoCore
2a51dc72b480d943f292ef6137a3d864ac85fec1d59632c52d12636b7285bee9
NanoCore
4983921d3469aff39daaa738072cdf18171a7c98184a0a810c9d81daac7082e4
NanoCore
7404e34def5b0d893557483ab19926adc1635866bdfb0682adddc3caae877e03
NanoCore
812cdbdfa256af3a059c4016d47017c6a2b3a13790f077eb637493b76e9ec546
NanoCore
9836dae82868c0e7f17114f7fe63e0f5b94f8e99e0c597f43ae12a365458ff69
NanoCore
a14f4263c002e77e88fa98957e19288e2076ad78d83c2247617f1a209d55a7a7
NanoCore
d832b9d26b8e022fb064d68edfcdc6e33a464fdd854f03c58d0e25b5ed9015ed
NanoCore
f304855a11aedd539b9bdb686b1d5781e0d7080560f9520c6bda8586947b3285
NanoCore
f4bf1d1294fcdebf960a81bc8bdf14edb488c4d844a90ab100a1d5354f8cd443
NanoCore
+ 1'049 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe d2edc352a2a157c1ac51e314039ca894958635959d905900755992eed6a13256

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CreateStreamOnHGlobal
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::CreateWindowExA

Comments