MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65a59e303768c300ddda71f068996d02af3f154dc48f72c958ec5da2a1260f9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65a59e303768c300ddda71f068996d02af3f154dc48f72c958ec5da2a1260f9c
SHA3-384 hash: e8d91eb947a2526d20e83ce30a94638c6151a69322ee46e0dc5316e30f131b66db8ba1284d6eab4e29b2ae7fec88ae85
SHA1 hash: 8385c02fc9b654bc2e5c1929befb14813d2ad005
MD5 hash: 9e086473347a79d08b2cf3769c0330b1
humanhash: west-blue-east-hotel
File name:POEA MEMORANDUM NO. 61- 2020 SERIES.PDF.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'050'549 bytes
First seen:2020-06-10 06:57:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:bNA3R5drX9jdW1eJy4O5f+E2ckcseYn8S9KRd:G59JWcJg5ELe4857
Threatray 1'274 similar samples on MalwareBazaar
TLSH BB251282FAC348F1E9230D36193A7F15A5BE75100F39DA3E7394492D9971183A732BA3
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: gmmgroupasia.wsiph2.com
Sending IP: 173.230.147.68
From: POEA <info1@poea.gov.ph>
Subject: POEA MEMORANDUM NO. 60-2020.SECOND REMINDER!
Attachment: POEA MEMORANDUM NO. 61- 2020 SERIES.LZH (contains "POEA MEMORANDUM NO. 61- 2020 SERIES.PDF.exe")

NanoCore RAT C2:
aashkanani22.casacam.net:54985 (79.134.225.73)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 06:59:04 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mwsz4mbxndbqbxo2ohygrglnakxt6fknyshxfsky5ro2fijgb6oa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
17b4dcf86e88514472b06653ae8560eaf3da47be3785573e9ffecdbaa4bddcb7
NanoCore
261ffb59e6589589525b96e900bf69a30ae9bce1ce1ce6cc6542c32a1eeebf08
NanoCore
28be907f56300a4543b8b1e619aa485f124998bf9f754c78efebded0e4e2693c
NanoCore
772d2f2ea97be3c0b9948701fb6743fc8f717680420fe5ce0101eac3ac6cd1c7
NanoCore
a259ab9f2ce1c874205cd31ac2f4ff924955caf2a81396b400dceb2438ff8921
NanoCore
b358b1ea537bc5e2dd3ddddbd1e9884770665569d5baaf20c2edb73cdd90ac60
NanoCore
b8ee3458736fa73672b43a4c55e136bafc48b215dcb89dac28b5865ab59fc99c
NanoCore
bf9caae4940f91401db499ed61a89d3e5ed867bc846f229cced95288739f8dc6
NanoCore
c5b5ff5c176413573053cc64019bff9c9ca516d27fcbf2611505083c892c2751
NanoCore
f5d66dc7bbea20f1b0b5639ece0e786e4df2445f9a518b77a7140287c043986b
NanoCore
+ 1'264 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-53hyhl5hm2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
aashkanani22.casacam.net:54985
aashkanani22.ddns.net:54985
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 22a20fb79fcaca1650feed77df6e53d69afd6300e97135ca043ab6f423c018ef

NanoCore

Executable exe 65a59e303768c300ddda71f068996d02af3f154dc48f72c958ec5da2a1260f9c

(this sample)

  
Dropped by
MD5 a1eeba1e8e8e29607e0e58d690b83182
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 22a20fb79fcaca1650feed77df6e53d69afd6300e97135ca043ab6f423c018ef

Comments