MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a828598f4c66e85305d93ce56bad4c27b7bd6a446eb9b9cec27d961b2591b95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	2a828598f4c66e85305d93ce56bad4c27b7bd6a446eb9b9cec27d961b2591b95
SHA3-384 hash:	7948df6dc9a0ed3ac899d589b4392057ab3d5dfe7834cbab76f819ebb16f7be9966ea1e5a96b46191c4fa2c43207a896
SHA1 hash:	243c1961e393aa5f7ca0dd48a91f951e6cadbb30
MD5 hash:	e45fc1ce72759efbd73464ce89b535d1
humanhash:	juliet-skylark-table-black
File name:	Payment_Reminder_UnPaid_PDF.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	852'992 bytes
First seen:	2020-07-21 18:48:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:QaNsQ3WkwhqPbFN03HxdB2fUQ178DotG990mkT0Rg2B1uef:9Puhyvwdsyoy0mkgG2B1ug
Threatray	1'565 similar samples on MalwareBazaar
TLSH	3E05E400E7B841DAD3FA0F35D6F0850C55B4AA5D97E2E6C61780F9BA5CE3FA44603E29
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: mail0.internationalfunraiser.monster
Sending IP: 104.168.169.84
From: Dropbox<contactsupport@internationalfunraiser.monster>
Reply-To: <bruce@hanshawsales.com>
Subject: Bruce Smith Sent You A Payment Reminder
Attachment: Payment_Reminder_UnPaid_PDF.zip (contains "Payment_Reminder_UnPaid_PDF.exe")

NanoCore RAT C2:
u870797.nvpn.to:3119 (185.244.29.158)

Pointing to nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.29.0 - 185.244.29.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-KP
country: KP
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: SUB-ALLOCATED PA
mnt-by: PRIVACYFIRST-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-07-14T13:29:24Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/30370/

Detection(s):

SecuriteInfo.com.MSIL.GenKryptik.EOQO.17033.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a process with a hidden window

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/2a828598f4c66e85305d93ce56bad4c27b7bd6a446eb9b9cec27d961b2591b95/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-21 18:50:08 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fkbilghuyzxikmc5sphfnowuyj5xxvvei3vzxhhme7mwdmszdokq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

23fb5bf57b70184335261dec8c9bd0976ef8c61d843486ffdc5692aa9618e58e

NanoCore

51031d05083e587fa113208a5de4c7f7c0bd4f6ee385bdfee92c63786f7d7e88

NanoCore

68f8acac4c0dfc81929e6ed2b67a306c5dab1606c377be8b5d6f35d8fc50dad0

NanoCore

b8e2713744ae4bf75f6f051a88fd7cd88aa5a9d0e5707932b44a5fb47dd73057

NanoCore

c3ca6a64f95f07e7557eb0ed7968c7d7bf735b08478f517061542059930bbf32

NanoCore

d7f94abc222e9d72d3878ee97d3c257878e724bdb83e0ea9e92fc202d992be41

NanoCore

e212649c10ad952f2cd34debebdb80c6dfbeec214dbf352095eb65672ef2a1e9

NanoCore

eca13de65c0bea59c87ad6d8fd0d4d7083badd47dd919b5d407b77298ee36a85

NanoCore

f94fdbaf430c51b2d97e75c378a7e6cf66fbbe6984cc9348b9369a435fdaa2b1

NanoCore

+ 1'555 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

evasion trojan keylogger stealer spyware family:nanocore

Link:

https://tria.ge/reports/200721-yz2ssg6qfj/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetThreadContext

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

u870797.nvpn.to:3119

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/