MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e0a5536a96d3ea0b97b034c193bcb933f2dd8dfc8e159915951ab3842630b20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	3e0a5536a96d3ea0b97b034c193bcb933f2dd8dfc8e159915951ab3842630b20
SHA3-384 hash:	1330159006f58b80af012b2d100d74a0f6d1d72a4816b6bd49eb2b0aa944bf289e965603ea6c696335e982df4bcbc72f
SHA1 hash:	fb4bb75e46a400cf7f2f57eb33ed74ef5babe736
MD5 hash:	e5fd9d64ee33ddcb92a8374b14f790ae
humanhash:	august-winter-white-monkey
File name:	7QewnE7rhsBazbR.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	598'016 bytes
First seen:	2020-06-03 16:36:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:RbkJ5nPGstabaJaer4FswbmfSxxDmfxABGWUfZTvG9XNdMleZFic6LW/OPRnP5h6:BkX+sPPRP5hT/hatQ1
Threatray	1'882 similar samples on MalwareBazaar
TLSH	15D438AC761072EFC867D472DAA82C68FA5074BB831F4207942715ED9E4D99BCF244F2
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: dns109225.phdns5.es
Sending IP: 185.68.109.225
From: Jean Carlo <nnadaiyazhagan@tesla.com>
Subject: New Order_Sample/ 2957/2020 + 3006/2020 FINAL - Inquiry 52/2020 - PRs 89070 + 85938 + 89069
Attachment: Doc.001 (contains "7QewnE7rhsBazbR.exe")

NanoCore RAT C2:
79.134.225.103:1985

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.63'

% Abuse contact for '79.134.225.0 - 79.134.225.63' is 'abuse@anmaxx.net'

inetnum: 79.134.225.0 - 79.134.225.63
netname: BASEL-HOSTING-225-0
country: CH
admin-c: AM38880-RIPE
tech-c: AM38880-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
created: 2016-04-17T00:42:52Z
last-modified: 2016-04-18T06:23:19Z
source: RIPE
remarks: abuse-c AIS166-RIPE
org: ORG-AGIS12-RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-03 23:25:35 UTC

AV detection:

15 of 31 (48.39%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hyffknvjnu7kbol3angbso6lsm7s3wg7zdqvtekzkgvtqqtdbmqa._file

Verdict:

malicious

Label(s):

nanocorerat

hawkeyekeylogger

emotet

NanoCore

19dcafec37ae1784254a1e687c89f28f211b833a8ed7c5437db9443c5f51336c

NanoCore

3964739a8988be3dc3ffe71ce4fdd86bfef579f4cfdfac1c97d123805cd0ea2a

NanoCore

48f69c4f0432c9552fff3e4bd5274751ecd529365ccee42c7a3b5f3bbc83ffe5

NanoCore

4f5bf279812fb7f1276a7ce23071b23b6c9fc38938d52b846f060087285bdb41

NanoCore

71b9cfc637c0d49cc0375574e6254b09545d4ebc584b734aa8e35cf04b991332

NanoCore

84087e77b6088ef6e3d9a61f088ea5c6b6cb9bf1c7d852df6a12e745ab112c11

NanoCore

be1a45ae85bb530727a5e96d3dc19eeb0542991ddb5a747b93665b4599c70ea0

NanoCore

dd02cb85d94d9d687d5de330f198abd8f1a84720947c03dfad880526830986f3

NanoCore

e8254b66674540a3ccd19360e61beca8337a93af404f3486dca84a5bcdb3abd4

NanoCore

+ 1'872 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-58kcsj3vrx/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

79.134.225.103:1985

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

fd8b796a6e24fb26c3d84a6b3a7b30ed

NanoCore

exe 3e0a5536a96d3ea0b97b034c193bcb933f2dd8dfc8e159915951ab3842630b20

(this sample)

Dropped by

MD5 fd8b796a6e24fb26c3d84a6b3a7b30ed

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample