MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 305eb08e59ef7e93a40e6eb8edf0c4a336ff54bfc07cac69d1744c949f53757e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 305eb08e59ef7e93a40e6eb8edf0c4a336ff54bfc07cac69d1744c949f53757e
SHA3-384 hash: 3abb6983833aead289a9d19940cfea6988b06a0e0177b87a133b465297f525724a1b586c205e4c16eb20d7a666ef2a27
SHA1 hash: 434f090315532907b68298d9083b3363c94a0497
MD5 hash: cf593bb4945ab19851e82c0c854cdcef
humanhash: asparagus-apart-hawaii-robert
File name:HLCUJK1200426084 INV 2097430962.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:516'608 bytes
First seen:2020-06-11 06:04:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ttTgup7OKawsxRt4TFlnkjXMuc1fU3AMm5A:trpRawGunkjXM63AM
Threatray 1'963 similar samples on MalwareBazaar
TLSH ACB4CE0472D27E5FC77E4DB2441328005BB1AAA77E1BF3435DCB11DA652DF8A4A80B9B
Reporter abuse_ch
Tags:exe MailChannels NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: bonobo.birch.relay.mailchannels.net
Sending IP: 23.83.209.22
From: YIKUN INDUSTRY COMPANY LIMITED <sunny@yikungroup.com>
Reply-To: sunny@yikungroup.com
Subject: Request for pending payment
Attachment: HLCUJK1200426084 INV 2097430962.zip (contains "HLCUJK1200426084 INV 2097430962.exe")

NanoCore RAT C2:
adikaremix.linkpc.net:1790 (185.140.53.13)

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8891/
Detection(s):
SecuriteInfo.com.ArtemisCF593BB4945A.22608.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-11 06:05:07 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gbplbdsz557jhjaon24o34geum3p6vf7yb6ky2ororgjjh2tov7a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
2fd9f9784c8b9678b08dcb94886985fa7835d0135ea12689082e0bf604c19bbb
NanoCore
3e0a5536a96d3ea0b97b034c193bcb933f2dd8dfc8e159915951ab3842630b20
NanoCore
408b676c05cde3623e9271d39c20ec19aaa9ad9882db0f08451442379409be99
NanoCore
6343bc22fcb1a909e908ca7c0fa90d34e09f669dbd72a69e75ff8af7a9d217eb
NanoCore
67fef2f83af3da398f5e144ccc65e18d7d30b57f53d94658cd62fe53d5e3d81b
NanoCore
6eb10ca3e8026756f417b8e04510f768c28175817c73be8f21514dfb186d687f
NanoCore
8c71aca391fbd24fb5400cbc0cea7bfc424dfac861cbfebbac25393e8b21bbf4
NanoCore
8f98784c107af1ace1c7437d885de9d5e7c253389c53a10ebb8a8d1b3c49477d
NanoCore
91ec8e2e85917775a7055500c887bf49371679f772bd917c69dfb2b628f4a680
NanoCore
f036e2aa7615446d2cb3ab689b13aac4055bf2cb8b19b0999db08d7052a80bf1
NanoCore
+ 1'953 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-bblvtn2ew6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
adikaremix.linkpc.net:1790
185.140.53.13:1790
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 70ae9f204352242faa28e2d090c2ea16297dd2b1066d5e3c37ac04425a2e7967

NanoCore

Executable exe 305eb08e59ef7e93a40e6eb8edf0c4a336ff54bfc07cac69d1744c949f53757e

(this sample)

  
Dropped by
MD5 ba5abbbfa3dc48e37cfb4811e98447cf
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 70ae9f204352242faa28e2d090c2ea16297dd2b1066d5e3c37ac04425a2e7967
Cape
Cape
https://www.capesandbox.com/analysis/8891/

Comments