MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 548c375182f63e134625ec757d001e42051be39bf22f4065932ba53557825312. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	548c375182f63e134625ec757d001e42051be39bf22f4065932ba53557825312
SHA3-384 hash:	478dfaf56fe938f19b0858daf8e351536e9cf5cf0f245079f49f1f3b0ef43bbb996663f0c66d7398b7dc7b978992f4af
SHA1 hash:	0c6e9ad2e78e4ac62beb9c3f3806b0e0e9fe0d4f
MD5 hash:	b2739f6ec18e593bfe048aa21825466c
humanhash:	uniform-tennessee-north-romeo
File name:	( PO-5674967 ).exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	3'513'344 bytes
First seen:	2020-05-25 14:13:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6f25fb96b6fd81b4bb5d3c9f918e98b8 (1 x NanoCore, 1 x QuasarRAT, 1 x Arechclient2)
ssdeep	98304:Wviz/27qWGq/TzuqCDl2Ptao7j6ECLgNR:Wviq75/TzufqZNR
Threatray	2'759 similar samples on MalwareBazaar
TLSH	36F5334077D8052BE1F2277128FD22470FB9BCB29A75D74E608422DE1976890E9F6F93
Reporter	abuse_ch
Tags:	exe geo KOR NanoCore RAT

abuse_ch

Malspam distributing NanoCore:

HELO: mail-smail-vm80.hanmail.net
Sending IP: 211.231.106.155
From: HANKS MING DUSS <aasa78@hanmail.net>
Subject: 구매 오더 ( PO-5674967 )
Attachment: PO-5674967 .zip (contains "( PO-5674967 ).exe")

NanoCore RAT C2:
cheks.ddns.net:24500 (105.112.98.4)

Intelligence

File Origin

# of uploads :

1

# of downloads :

70

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Generic-6895514-0

Gathering data

Threat name:

Win32.Trojan.Nanobot

Status:

Malicious

First seen:

2020-05-25 12:06:00 UTC

File Type:

PE (Exe)

Extracted files:

765

AV detection:

22 of 30 (73.33%)

Threat level:

2/5

Verdict:

malicious

Label(s):

nanocorerat

Similar samples:

1f02d06a14d5e83c297271a24f9dad9f28d25e387bc65784077ddc27165290b5

250cfc3bf5271e6a5cdd6ebe240865bf2f960c877590b679c878181b42f85341

555618abdf6f7692936fc630a84a2d4e7bb5f7db4877975b5e98f77b939b2235

ace64cbe1ef91a0b14602264fe0de8e3698cb8b901cbd6251b3fd11d87a0bef6

b0fedb5fc4232c07ff1161ddcc830cf11596ba2653cc7cea1d5666b4bab1f276

b2f041348835c102db3769245ee4c28dd00cb19c3c6710fc9c11228f3bbce61b

b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4

be1a45ae85bb530727a5e96d3dc19eeb0542991ddb5a747b93665b4599c70ea0

cfb6b2b831592f1ebd43929977ae4963f8c2b3b2472214c82c3c3c1513a6b54f

fc0ffda44e2748b424639a1592356cc209abf6045a8d6a069f5f562ea1f31763

+ 2'749 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-pqtkpw4ggj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Adds Run key to start application

Checks whether UAC is enabled

JavaScript code in executable

Loads dropped DLL

Executes dropped EXE

NanoCore

Malware Config

C2 Extraction:

cheks.ddns.net:24500
127.0.0.1:24500

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 6e9c210ec357138119bf1933e242b618bb0c2af89074694f90c5df9c63f81c2b

exe 548c375182f63e134625ec757d001e42051be39bf22f4065932ba53557825312

(this sample)

Dropped by

MD5 b0d06d534869599439374d6b1888668e

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 6e9c210ec357138119bf1933e242b618bb0c2af89074694f90c5df9c63f81c2b

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample