MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 640ec1c90399bdc31dcb2a5bc4fcfb9b2409d5e00b091eed599a423346475275. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 640ec1c90399bdc31dcb2a5bc4fcfb9b2409d5e00b091eed599a423346475275
SHA3-384 hash: 6112059b76bf5cd721428d31cc32f69aef388efed31094eed416b801abbf502060cb870fc766a4ff4dae7f2a04c1efee
SHA1 hash: c05aa992579694de76e365a2377f912c42f4b226
MD5 hash: 0f3179899f28704dbf80c53be341d3cc
humanhash: massachusetts-zulu-utah-mountain
File name:Invoice.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:446'464 bytes
First seen:2020-06-02 19:15:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:DMhhKAYAJlW7uvOmT5RI53Bh1c+h/Mw5oXRS/PB2:x/AJlW7zQQ5q
Threatray 828 similar samples on MalwareBazaar
TLSH 35948D9C762072EFC857D4729EA81C64EA9078BB831F5613942725EDEE4D897CF240F2
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: antispam.ktu.edu.tr
Sending IP: 193.140.168.5
From: ahmet.sari@ktu.edu.tr
Subject: Payment has been sent
Attachment: Invoice.img (contains "Invoice.exe")

NanoCore C2:
185.244.29.223:24980

Hosted on nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Genkryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 19:35:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
19 of 31 (61.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqhmdsidtg64gholfjn4j7h3tmsatvpabmer53kztjbdgrshkj2q._file
Verdict:
malicious
Similar samples:
006e2d9f385a7c4d88299832906bf975a311e61ad24fb8b5b1130a9f308cb8c7
NanoCore
00c47b353869bd10336878ab126ad47ba22f370c1adf89310a589d5a6c14bfe4
NanoCore
08e48ae78ea30aa0ba997b98f6dc85bcb40aa6969752fd96f7d11e8124e7f719
NanoCore
2c17ec053eeef1daed652560bd9bd8672fd2bd160595f998f87c017b3c7095c5
NanoCore
40503a4df817599fdf0125c5b99076700718e3eb50bbb759d139aa95a8d18d59
NanoCore
785c0d4d25629a52bf22014d5e21c10dbd19e6e7958eb400ea445182a827578f
NanoCore
8b8c1a8d955a33aee2a355050c138ce891207b2dcb37967ab24d278abdf98254
NanoCore
a33a4dcab1d0b4c87dc0041862aef871d365273a0baa94162ef4ff85af51c578
NanoCore
a3c44389aac31e62cd3267525d4cfebbd65c32fbaec918500b606d67b0ea62d8
NanoCore
b3eea3acbb129b3be2fe22a3c4b4cff9663939b9783f41a9931aecdfb318dd7c
NanoCore
+ 818 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-ydabxhebt2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img 4427d9e2cd3d36f98ac4447961ac50924389d02e2d91dd5780da63d0d7c8810f

NanoCore

Executable exe 640ec1c90399bdc31dcb2a5bc4fcfb9b2409d5e00b091eed599a423346475275

(this sample)

  
Dropped by
MD5 b07d31033088fd75eb2eb194e74aafbc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4427d9e2cd3d36f98ac4447961ac50924389d02e2d91dd5780da63d0d7c8810f

Comments