MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edcb83c2513c6e0fe97acdc22e09a32b49dd85e00fba056b20dc8f168b488929. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edcb83c2513c6e0fe97acdc22e09a32b49dd85e00fba056b20dc8f168b488929
SHA3-384 hash: 48d0772635b2f0a670c933aeb0e6eca09ff986a46b45e31d190aae059677e73f017c5786cad72c63d82575e29b2a8136
SHA1 hash: fb93bcf9e0dab5c7b89401321813f7040b718df2
MD5 hash: b43b9eb8e5cd7a1b999f32776289035b
humanhash: johnny-diet-colorado-apart
File name:PO-bepan420429.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:387'072 bytes
First seen:2020-05-11 08:23:41 UTC
Last seen:2020-05-11 08:58:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:gqL+yGiqfCek3c+aX0ilHgtExlFE5aS/XmfdMveQTd5y6s34KHcG4GRgmG/wH0FB:yiqfCek3c+aX0ilHgkfieQTrR5KR4GRX
Threatray 1'192 similar samples on MalwareBazaar
TLSH 8E849E1532AC2B7AF4F66BF12AA4A451E7B1706A3456E7AD4CD210CB52F4F40C5B0E3B
Reporter abuse_ch
Tags:exe NanoCore


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: vps.dpcitqlia.com
Sending IP: 45.95.169.77
From: Julie Yang <ju.yang@beaulieuasia.com>
Subject: RE: RFQ (bealieu/Pando Order)
Attachment: PO-bepan420429.r11 (contains "PO-bepan420429.exe")

NanoCore RAT C2:
79.134.225.94:9124

Hosted on nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE


Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.45506.30277.20180.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 11:44:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xfyhqsrhrxa72l2zxbc4cndfne53bpab65ak2za3shrnc2ireuq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
080a6fbf91637b683b6f363092f9b7d6e75b8442c6f9df32ffea0788e16fafdf
NanoCore
2273296f635f3e62fab2910123b1cf32832e3b62344a346a8663c2a31f00a98d
NanoCore
430596618928471c2bb2df11155686033c916418c1792875f329ae8156debfaa
NanoCore
474d3f5a1f7bb94a6573ea758326f0219ea37f880dd7fd273080d4060be8f54c
NanoCore
4c98f097a7d17f8919c172ba7fe52b8600d8edd484ded4637dade9cbb9201c18
NanoCore
92771caca06fe18551b241f2fd3e8d6f53c29d48d0e879c93c5458d9fabd082b
NanoCore
c43d85dc319a3e0e9faeb9aa8967ab597ce9c7d76d78ad5d7cea309b73a7b653
NanoCore
c4f0b3610d084b670fbcd8d5405153b208907ac348a190df4cfa41b1dc4f029c
NanoCore
cbd78bfa67cd972d5c01472ce3f98e4500744c2544ca5fdddc3d9df49fbf1227
NanoCore
ce8036a3dce940ac788926ec9b76a2cef7974335c9bdfc5dc0e36252eeafbb6f
NanoCore
+ 1'182 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-ckfx6evwj6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NanoCore
Malware Config
C2 Extraction:
79.134.225.94:9124
127.0.0.1:9124
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar b516cf5284b513468c4df2702eab88d4c5d75e926246e97dc61ee8696716c39d

NanoCore

Executable exe edcb83c2513c6e0fe97acdc22e09a32b49dd85e00fba056b20dc8f168b488929

(this sample)

  
Dropped by
MD5 d481a1dbc48aa308af16897fb3a0613f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b516cf5284b513468c4df2702eab88d4c5d75e926246e97dc61ee8696716c39d

Comments