MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6332d4b5b5984ebb39685164428ad0f1f1b04e82b14cd5d773bbdd0d4ad05dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 6

Intelligence 6 IOCs YARA 5 File information Comments

SHA256 hash:	d6332d4b5b5984ebb39685164428ad0f1f1b04e82b14cd5d773bbdd0d4ad05dc
SHA3-384 hash:	ced1253dc7a7aeb9328d60679d39f3be84e3fa6d0ba919fd941634af92dcbf76b349b07e1b559c4324c1bf8d7af37e5d
SHA1 hash:	28cdd0673db28e5b383bcac81012206650a9a8db
MD5 hash:	964c22f7e89bf513de1c03964805855a
humanhash:	video-leopard-five-maine
File name:	COVID19 Test kit.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	706'560 bytes
First seen:	2020-05-04 04:15:52 UTC
Last seen:	2020-05-04 05:21:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	04e2f05a6b7f1bca9a63110a648d2cc2 (4 x Loki, 3 x AgentTesla, 2 x HawkEye)
ssdeep	12288:eS1EbL/CkhkAOo2zF7svoNG9VB4x2VYILbP66mq0zKqm4D/g4e0T2L10BvzHsdp8:L4/+AOo229y2V9Htmq/Sgl0Emsv3M
Threatray	3'414 similar samples on MalwareBazaar
TLSH	40E4AF22F6F1483FD1731A7C9D1B57ECAC2ABE112A2899462FF41C4C5F39682352B197
Reporter	jarumlus
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Nanocore.23.27714.26256.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Threat name:

Nanocore

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/357669

Behaviour

Behavior Graph:

n/a

Gathering data

Threat name:

Win32.Trojan.Nanocore

Status:

Malicious

First seen:

2020-05-03 22:29:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2yzs2s23lgcoxm4wquleikfnb4prwbhifmkm2xlxho65bvfnaxoa._file

Verdict:

malicious

Label(s):

nanocorerat

hawkeyekeylogger

NanoCore

3e8fda53d335f929c539e5fbc47a79e166ecbfda4752c50544c429a199056c62

NanoCore

566a52a90df95efb099d508758e4d2d81ea9333c99837c42ecbda883c0e3716b

NanoCore

72085a6683fbd36131021d63dff1637225c452606c901a7ebe58bdd7795af521

NanoCore

87c615982865f3989839cf3e7c4eca736f6adf61db512210919208b91661e104

NanoCore

8ef62131890ff8a17d38d8a48997e01252f605b68249ae4a321407be410680dc

NanoCore

bc9deb7c274339a0a8b594def58348a995b3d7af4764c796c365b683b7400aea

NanoCore

e41e433626e9dbf6c3a56c29c9dc60adfa53f71cd1c3bc10d682a1b2239c576d

NanoCore

f7d4fb7b8ebeee21a2beb691d9b60ff2efb2a60f27e00d929d64db8fa2687a0f

NanoCore

fd54073286010523ef59ce428c3ae8b92f87abce1027ed232befe46499bf5e53

NanoCore

+ 3'404 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger spyware stealer trojan upx

Link:

https://tria.ge/reports/201109-kbm56jmew6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

UPX packed file

NanoCore

Malware Config

C2 Extraction:

185.244.30.139:4050

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample