MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65603c7a88beb93205d2012ca8d63dba310fc0f7f91fc81300734ee3b2eb3f10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65603c7a88beb93205d2012ca8d63dba310fc0f7f91fc81300734ee3b2eb3f10
SHA3-384 hash: 408df0e416ecdd1af87ea9235005d922dd601f6ef4cab4e63d386a707f1502b15b99571fb101afff0a7c8e3db9ba6a04
SHA1 hash: ae8832bcefff293fd6d4c29d00362e3ed5a2202c
MD5 hash: 931d6095b12f270ab926dd037d3b8430
humanhash: zebra-alaska-don-oscar
File name:Update on Stamp Duty Charges on Paga.pdf.scr
Download: download sample
Signature NanoCore
Create hunting rule
File size:485'376 bytes
First seen:2020-06-30 13:20:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:MSA9RevhnbEQezkxFn8CCtdnnsycp90aLK7eUXKSQHUJyqCLuIk+xxiTRqSw:wObRezkxFn8CA+iqjUXZQHUJSyIAUSw
Threatray 1'094 similar samples on MalwareBazaar
TLSH 06A4B06567E8EC14D63FA735B670B015817AAF07D55AE70E7C4CB5EA28723803842E8F
Reporter abuse_ch
Tags:NanoCore RAT scr


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: vps11112.inmotionhosting.com
Sending IP: 192.145.237.232
From: Paga comms <no-reply@mypaga.com>
Reply-To: Paga <PAGAA@mail.com>
Subject: Update on Stamp Duty Charges on paga
Attachment: Update on Stamp Duty Charges on Paga.pdf.zip (contains "Update on Stamp Duty Charges on Paga.pdf.scr")

NanoCore RAT C2:
grace532.sytes.net:1919

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17208/
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.ENIA.32641.UNOFFICIAL
Create hunting rule

Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/65603c7a88beb93205d2012ca8d63dba310fc0f7f91fc81300734ee3b2eb3f10/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-06-30 13:22:06 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mvqdy6uix24tebosaewkrvr5xiyq7qhx7ep4qeyaonhohmxlh4ia._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
2f003ca84db5f82fcf36040f7d97baae64e0582e830c8c1cea65c32c3d5b21d5
NanoCore
75830575168e1d024a8d0c86764cb9b88eea3c79f0c4a24fb39d4e94fd2c42d7
NanoCore
819b7cdae5437e09dddc2263080df829d2e8ba725f4364bfddf0cd10eb848692
NanoCore
a37f501c2d65d191828fe20bf148436de23201f6fe852d59dfa67aaa5fc206e8
NanoCore
d0a8b39bc4bd58191a4b6db1a71621e7d9e2e124c05ad01922aafb9eba72205a
NanoCore
d0a9cde7ebed2daf4306e0e76a341e6c4293bf9904ed464f5bfcb462dc0999d0
NanoCore
e33ef485c574d639eae34cd252d97aa78c17718190c98a92f7b6dc5a5fc0cd69
NanoCore
f1fddc0cfd9632772ba10b059d83a1bb34b01a81766e61804bc39ca3898c5211
NanoCore
f5ccc5ce755b5273935290c41751582654c3f4783c07df8cf91dd783cd3afc1b
NanoCore
f86a114e73dd0f15bc888e3db1477aa4c92d333bb236c4d3d1f49e72858bb80d
NanoCore
+ 1'084 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200630-akwekcmml2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run entry to start application
Checks whether UAC is enabled
Drops startup file
NanoCore
Malware Config
C2 Extraction:
grace532.sytes.net:1919
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip df4b6e0ed32d4879c68bb3b7c7ec5c401d6645b7082a05ff3e4cbc9d3b5ae052

NanoCore

Executable exe 65603c7a88beb93205d2012ca8d63dba310fc0f7f91fc81300734ee3b2eb3f10

(this sample)

  
Dropped by
MD5 8614a6c14b396083dc739b51f167d9fc
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/17208/
  
Dropped by
SHA256 df4b6e0ed32d4879c68bb3b7c7ec5c401d6645b7082a05ff3e4cbc9d3b5ae052

Comments