MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3513277194223ab378d98baeb6f4de4180f2499e3b4fb48a57e055512d173c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	d3513277194223ab378d98baeb6f4de4180f2499e3b4fb48a57e055512d173c5
SHA3-384 hash:	49cd136c2a77c42ff531078209064afcd23c7b81667b51f3d4795b5625335b6fff9f23e8d0f77ae03accb83c74e670a0
SHA1 hash:	172253b3f54adfe3ca6752c2222fccf5973c6bdb
MD5 hash:	5f59f9803e7a364a3560864e9d849001
humanhash:	berlin-quebec-foxtrot-zebra
File name:	5f59f9803e7a364a3560864e9d849001.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'738'752 bytes
First seen:	2020-05-18 16:54:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	49152:Fw80cTsjkWaxbv8MBuirlGjr5UKUueQ5EZD:y8sjkJ8MBuirIn5UKIQ5E
Threatray	1'806 similar samples on MalwareBazaar
TLSH	5685E02273DDC361CB66A173BF69B7013EBF78254630B95B2F880D7DA950162222D763
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

NanoCore RAT C2:
185.244.29.128:9995

Hosted on nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

SecuriteInfo.com.Trojan.PWS.Stealer.19347.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-18 15:31:05 UTC

AV detection:

21 of 31 (67.74%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2nite5yziir2wn4ntc5ow32n4qma6jez4o2pwsffpycvkewropcq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

10315925b522edfdb4a4fdbd067493ed9bf97796fc3dd61242de5b4bf71c6471

NanoCore

33318539cfd16ce1d6f1cd45885d39c5534b8ccc6a81a64b53fb890b96fd9cee

NanoCore

3b8897f098ca8f20031317f168e5506a26ccf0ce72dbde710bfb86181c78aa8e

NanoCore

5ba0464b431c033464dcf68f7fc327759729d35621fe43d3fbe31b1a5e9b8a88

NanoCore

64f61dd41ec3a411e647f6371b8500666db3c96cc57a8cb0c16d47cceaf12aa9

NanoCore

7cb0f80624431e1745d162ee3c2a4a25744f8d8fcbd95fe3c54f94214e826e0d

NanoCore

cb0a3504bf404124f83e0f9db5453ba1f1943f73dd19196a5b7d780ad2213bec

NanoCore

fcde661a96a6352ae04e5127c9d1844079dbd05980564cef93bdd96069fce8a0

NanoCore

ffffd192ab79755901f078b3f7c38faa29e8d8a944466a9ea6cd0a9c69a97ee7

NanoCore

+ 1'796 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201109-hy2mabl3fx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops startup file

NanoCore

Malware Config

C2 Extraction:

185.244.29.128:9995
127.0.0.1:9995

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

exe d3513277194223ab378d98baeb6f4de4180f2499e3b4fb48a57e055512d173c5

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample