MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eddb02f1d6ecdcfb30630930e91c51d05d71e18b348c4e3ef2f6a84d2895ba6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eddb02f1d6ecdcfb30630930e91c51d05d71e18b348c4e3ef2f6a84d2895ba6d
SHA3-384 hash: 88377812d8812b950bff7e217ad0e0fafa9f587862d4d877109e51698909b31599d68651cb42962221d13effcae2aef3
SHA1 hash: b9ab4c408cdef72ead89d35f3b84d9b1927072ae
MD5 hash: 6974295bc671f842efd93381968105b7
humanhash: table-california-missouri-minnesota
File name:Scan-0581110_pdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:689'152 bytes
First seen:2020-05-25 09:23:24 UTC
Last seen:2020-05-25 10:16:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 94127ecd07060b70a59da9daa8009625 (3 x Loki, 3 x NanoCore, 3 x AgentTesla)
ssdeep 12288:t2Zq148Ejvc94vSStfq6e0837XjzNciICZ7oxeJ1TqQOeVF:gcgUVWFB8z5Z7xnb
Threatray 3'341 similar samples on MalwareBazaar
TLSH 09E4AE32E2E07832C162163D9F4B5678D826BE51393859772BE4DF4CEF2528134EB297
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: serve0.chinarubii.pw
Sending IP: 173.82.119.236
From: Account payables <accounting@dynastysfo.com>
Subject: FW: Bank Transfer Confirmation
Attachment: Scan-0581110_pdf.gz (contains "Scan-0581110_pdf.exe")

NanoCore RAT C2:
23.82.140.49:4111

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 06:41:58 UTC
File Type:
PE (Exe)
Extracted files:
295
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
2a51dc72b480d943f292ef6137a3d864ac85fec1d59632c52d12636b7285bee9
NanoCore
6979a4bd390d6bf55225b6b4e5136a633502273812e1be5269e06318f778100a
NanoCore
766904989084e0264f16fd4aff548ca862836d2f6a4ce72c4d0bf66ff78ec478
NanoCore
7ff651aa9581a2cb706e1aeb7957f06a70a6718abd0a6449a039006e9eff06dc
NanoCore
8359e964cc6f542d0b069ece3e6529726d432b4946e054ac3b1c1bedcef2f7d8
NanoCore
aaa969de94835c4f59740b9bc3463693142db72d094969962d353c6466c10cd5
NanoCore
bd23c3a3d5215798a115525fe15803ee5f4393ae77d49e081770761beecb14ea
NanoCore
d4d803a83e2c4c348972b6b8e5fce93416b0c60977a447818f592795505fdff1
NanoCore
dbbaf0499e544e3832699110f71f62a521ec93cc8a74656c92af7023f554d897
NanoCore
f7c15b22bb99bfb56eabcd9b8c985c15c5d9ed341303b39362dccb6808a6a498
NanoCore
+ 3'331 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-hdr4kzl36x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
UPX packed file
NanoCore
Malware Config
C2 Extraction:
23.82.140.49:4111
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip d01153145f5e59bcfd7116702e1e63739eb41c33088ec64b748c7df8936b4f10

NanoCore

Executable exe eddb02f1d6ecdcfb30630930e91c51d05d71e18b348c4e3ef2f6a84d2895ba6d

(this sample)

  
Dropped by
MD5 facb3f68bd01c9c4088391bd6d1047ee
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d01153145f5e59bcfd7116702e1e63739eb41c33088ec64b748c7df8936b4f10

Comments