MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15d88e59e80b15ed7b24ffd1a496ff718b76a6a7d06cc2be0d1f91e460871c12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: 15d88e59e80b15ed7b24ffd1a496ff718b76a6a7d06cc2be0d1f91e460871c12
SHA3-384 hash: a4111d19280a48973a8241a07f44f91c3864925fdbce0879c8caa07a4a146883a57cfbc9c4b97ce597f4e590ec266c36
SHA1 hash: 9a4e72401d131a71c240572b21b78eeb7f358ccd
MD5 hash: bf4ce7216c42ffe8a611fd43fdf34067
humanhash: alabama-sodium-eighteen-missouri
File name:9174832 Invoice.exe
Download: download sample
Signature NanoCore
File size:1'322'496 bytes
First seen:2020-06-17 05:21:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7
ssdeep 24576:ZAHnh+eWsN3skA4RV1Hom2KXMmHa7CMIo80WDHikGMKw6nYa95:gh+ZkldoPK8Ya7Ko802Hi8kz
TLSH B655AD0263919026FFAFA1735B55B24146BCE8253123CCFF12A8D979A9705E12E3D36F
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT


Twitter
@abuse_ch
NanoCore RAT C2:
omojune.duckdns.org:8090 (185.165.153.45)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
30
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Predator
Status:
Malicious
First seen:
2020-06-17 05:23:05 UTC
AV detection:
27 of 31 (87.10%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
NanoCore
Malware Config
Extraction:
omojune.duckdns.org:8090

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 15d88e59e80b15ed7b24ffd1a496ff718b76a6a7d06cc2be0d1f91e460871c12

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments