MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f003ca84db5f82fcf36040f7d97baae64e0582e830c8c1cea65c32c3d5b21d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara 5 Comments

SHA256 hash: 2f003ca84db5f82fcf36040f7d97baae64e0582e830c8c1cea65c32c3d5b21d5
SHA3-384 hash: 42a22c9c96ecb33e8b300448a477636be56652cce0b47c2a35bd6bd3d894bd34d17368cd45f473c671fc0d057c7dc851
SHA1 hash: c750895954a1fab95f6704a9c3c3e88b0eee7152
MD5 hash: 4ba03c618eccb7673a226395511dea83
humanhash: mountain-aspen-victor-west
File name:Invoice.exe
Download: download sample
Signature NanoCore
File size:323'072 bytes
First seen:2020-06-30 16:48:15 UTC
Last seen:2020-06-30 17:57:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:YIRNbPE2dwAOB6+paqVQUBkQ2cVxYQXIYiBV4ScLefPAIVShAwXBsDk:3RSHPB6+gXUBkQ9VxYmsBGMLVShDXz
TLSH 3D64E04BCBA88A5BC6CA6235E843C5138F35D1913446E7471D74A1EFB98F3E81A412BF
Reporter @abuse_ch
Tags:exe NanoCore RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: c-ncestry.site
Sending IP: 62.173.141.62
From: Mike James <info@c-ncestry.site>
Subject: your documents
Attachment: Invoice.img (contains "Invoice.exe")

NanoCore RAT C2:
206.123.141.99:50572

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 2
# of downloads 35
Origin country FR FR
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/17475/
ClamAV SecuriteInfo.com.MSIL.Kryptik.WOX.4877.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/2f003ca84db5f82fcf36040f7d97baae64e0582e830c8c1cea65c32c3d5b21d5/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Kryptik
First seen:2020-06-30 14:44:10 UTC
AV detection:21 of 31 (67.74%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:nanocore
Link: https://tria.ge/reports/200630-k8xr5b9x62/
Tags:evasion trojan keylogger stealer spyware family:nanocore
Config extraction:5.9.145.244:50572
206.123.141.99:50572
VirusTotal:Virustotal results 28.77%

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

2742c817a3c17adf1eb3a45f039c2e89

NanoCore

Executable exe 2f003ca84db5f82fcf36040f7d97baae64e0582e830c8c1cea65c32c3d5b21d5

(this sample)

  
Dropped by
MD5 2742c817a3c17adf1eb3a45f039c2e89
  
Delivery method
Distributed via e-mail attachment

Comments