MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03eacd008568d29ca8c5a4b9735f7fb6d2b2e5b7a1726f7ed316380e7b9f3e5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: 03eacd008568d29ca8c5a4b9735f7fb6d2b2e5b7a1726f7ed316380e7b9f3e5c
SHA3-384 hash: 7fbf360ece4d75cda1a0c616dc55a8a45314667defc00f4a51fa23f3c35f01a81ad5ce82d7800b3dcbc7ec312368f0d1
SHA1 hash: 329d2c4fc04c8d98c846102d39a2c12611b85b2a
MD5 hash: b901ca3106d5eb2ed5ff46849648a237
humanhash: may-muppet-virginia-lake
File name:b901ca3106d5eb2ed5ff46849648a237.exe
Download: download sample
Signature NanoCore
File size:1'276'928 bytes
First seen:2020-06-18 16:08:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091
ssdeep 24576:rtb20pkaCqT5TBWgNQ7acvW8lDQ8Ixa7T56A:oVg5tQ7ac+8l88Ixs15
TLSH 8B45D01373DD8365C3B25273BA267701AEBB782506A5F96B2FD4093DF920122521EB73
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT


Twitter
@abuse_ch
NanoCore RAT C2:
79.134.225.23:1985

Hosted on nVpn:

% Information related to '79.134.224.0 - 79.134.255.255'

% Abuse contact for '79.134.224.0 - 79.134.255.255' is 'abuse@fink.org'

inetnum: 79.134.224.0 - 79.134.255.255
netname: CH-FINK-20071024
country: CH
org: ORG-AF26-RIPE
admin-c: AF15-RIPE
tech-c: AF15-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-by: AF15-MNT
mnt-lower: AF15-MNT
mnt-routes: AF15-MNT
created: 2016-10-21T11:09:10Z
last-modified: 2016-10-21T11:09:10Z
source: RIPE # Filtered

Intelligence


File Origin
# of uploads :
1
# of downloads :
33
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.NanoBot
Status:
Malicious
First seen:
2020-06-18 11:31:30 UTC
AV detection:
25 of 31 (80.65%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
persistence evasion trojan keylogger stealer spyware family:nanocore
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Drops startup file
NanoCore
Malware Config
Extraction:
79.134.225.23:1985

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 03eacd008568d29ca8c5a4b9735f7fb6d2b2e5b7a1726f7ed316380e7b9f3e5c

(this sample)

  
Delivery method
Distributed via web download

Comments