MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e31c8b099b67a798b809a8c4d37462d822868abc58e1b8e3ce88fb521723b92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e31c8b099b67a798b809a8c4d37462d822868abc58e1b8e3ce88fb521723b92
SHA3-384 hash: 890fc5925adbfec7b627c82bd525a3559c47223d41c5daf33cdeaff526647d0489535b16fd2d4beed7622e979adf563a
SHA1 hash: 04bdaf88e3bcd44c6072a924d191637c1a196732
MD5 hash: eec93f44b9cdec551aeb999415e097d6
humanhash: hawaii-aspen-quiet-berlin
File name:dK66Y8jAEFVVUny.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:615'424 bytes
First seen:2020-06-04 17:30:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ZDp+8XHnmWxBf3FUM4cggf9RnwEmD4e7H1I7Cysd2DgLoNu/FaM:T+9yf13bf9RnwEmFVIeyzgLI
Threatray 4'054 similar samples on MalwareBazaar
TLSH 22D4F14436F1B95DC67BCDB18D721C1087B0B4ABAE17E6571CDB20DA066DB828B01FA7
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: vps.yidagnp.com
Sending IP: 45.95.169.73
From: CORREO ARGENTINO POST SERVICIO RECIBO IMPRESO <info@yidagnp.com>
Subject: Re: SERVICIO POSTAL CORREO ARGENTINO
Attachment: Servicio Postal de Correo Argentino.r11 (contains "dK66Y8jAEFVVUny.exe")

NanoCore RAT C2:
185.244.29.128:9995

Hosted on nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 17:36:07 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hyy4rmezwz5htc4atkge2n2gfwbcq2flywhbxdr45ch3kilshoja._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
424d8d094142aa0b55c480702b9e0b3f7e35ce0f35ba1ebb05cbc155af524805
NanoCore
53006066e227644c4004569894469b03cf75c1b88c9adc903437cad16508e1f9
NanoCore
5ca99517ae76972d3dab6e51515a57e15e75e7bb7c3a7e16228f770fcc7833e9
NanoCore
682cb1c003d98478150a40e5a6eed75332e34a611749eed232e88bf6020b2c4b
NanoCore
8366973011083e5a6ddd8b602c3bfb70d6334e9a28a0113215197c97774d6b0c
NanoCore
924f538f64249aaaf38b2e61949ec730a080ffd12f5c1e9ab1b396c63697034c
NanoCore
a6fa24e0210cf4e792b983adf65416871b6a4792fbd5ba3ccaf15484159c776b
NanoCore
c68aebc128170cdda0e20c27d686b8e16c22b920089f7633a34034bc29a32253
NanoCore
f728252169da3a6dc69cd201835230c017ce37c9a9cd06c1e7daa3153ebc6f80
NanoCore
fe9732838a0e6bcbf67213e7fd8bd7ca5e9b35a27041c50b74ca26bb08133fbd
NanoCore
+ 4'044 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-jgfnt418ze/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NanoCore
Malware Config
C2 Extraction:
185.244.29.128:9995
127.0.0.1:9995
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 7325d1f4e080d0d7f9ed2f8279bc64b8ae900d9223d2f385d97bf994e5b5c9a1

NanoCore

Executable exe 3e31c8b099b67a798b809a8c4d37462d822868abc58e1b8e3ce88fb521723b92

(this sample)

  
Dropped by
MD5 9b6b57933335cdc7d908f9913acc1a7c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7325d1f4e080d0d7f9ed2f8279bc64b8ae900d9223d2f385d97bf994e5b5c9a1

Comments