MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06aa63b0dc8aaba5ee000b37935cf4a2e5d49167b9e51033c13937fc69b84cd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	06aa63b0dc8aaba5ee000b37935cf4a2e5d49167b9e51033c13937fc69b84cd9
SHA3-384 hash:	a626101c0e71fda8ad79fc0de7f79f9988a76a26f26dff3a8d99097b1889528f9c5ac048f9efbba6b6cd90456d29011d
SHA1 hash:	bcf9a652e61415d349b72a47fc25f9122f782041
MD5 hash:	1c9f84365ad550a5f85f73f60573b6ea
humanhash:	coffee-football-red-lemon
File name:	Pipe Specs.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'648'128 bytes
First seen:	2020-05-06 18:52:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:jtb20pkaCqT5TBWgNQ7a4dSGM+DkSkhQhwp0Nj0FrfCTeJw+wL6A:gVg5tQ7a4X7DkJmSpKjmtg5
Threatray	1'904 similar samples on MalwareBazaar
TLSH	4175DF2223DD8251E27F51737A156741EE7BE82535A1FC7B2FB4C93CA8221214F0E66B
Reporter	abuse_ch
Tags:	exe NanoCore

abuse_ch

Malspam distributing NanoCore:

HELO: vivo.com
Sending IP: 217.61.98.6
From: Vicky lee <vicky@adanapipes.com>
Reply-To: odelljammie@gmail.com
Subject: Scheduled Pipe
Attachment: Pipe Specs.gz (contains "Pipe Specs.exe")

NanoCore RAT C2:
79.134.225.93:1985

Hosted on nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-06 19:11:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=a2vghmg4rkv2l3qabm3zgxhuuls5jelhxhsram6bhe37y2nyjtmq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

4d42868a3dbc835f6c25856f51ca721a2e7eac4c9a775c67029b831ffed156cc

NanoCore

6266401f72539a6707cd55f3e277f6f878e8826af0f2944f7538319c08adc9e7

NanoCore

790ddf3ff510253b5db189de93fb5e43fadc838d1c254d1d7f5236473e43526a

NanoCore

89f5773de397e09275d7d02812ec937343e878030232964061bb6aafdea5ccde

NanoCore

ba16a65c18b43738c394c42b43160d34f233feae20d45209c6f759c14482b58b

NanoCore

c7d61fee58d6bb0e581f517fff6ab3c3738fbb12a261e3ce10c525d18fc1c1a9

NanoCore

da26ba1e13ce4702bd5154789ce1a699ba206c12021d9823380febd795f5b002

NanoCore

e9fc4844ee50f9e59616bd7238bfae3de6b8b194abf635e787e5a44d8658fe42

NanoCore

fa02a7e8922b8a0a152ff8ced55d3b005e6eac67af9d9eff7ec03192b6d1aee3

NanoCore

+ 1'894 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-6scxppvxcn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

NanoCore

Malware Config

C2 Extraction:

79.134.225.93:1985
127.0.0.1:1985

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

d71510a50155a962457cff887b3b3411

NanoCore

exe 06aa63b0dc8aaba5ee000b37935cf4a2e5d49167b9e51033c13937fc69b84cd9

(this sample)

Dropped by

MD5 d71510a50155a962457cff887b3b3411

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample