MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ece00da69537d12d933cfc710ef0be2f76ee8d39c111ba1726bd47c8fb8acb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 5 Comments

SHA256 hash: 6ece00da69537d12d933cfc710ef0be2f76ee8d39c111ba1726bd47c8fb8acb1
SHA3-384 hash: aa6b140407fd1d119d281d60a5630e54d8f8f2033d6863d0a5bcc4c3627e5e9e0d1f2545a6de2e769b990bf6b2a80079
SHA1 hash: b22b789acafface4f0d1140d8f12ef425d8da1b6
MD5 hash: 474f0117b9ffba8ab212f72abb791b45
humanhash: dakota-white-muppet-nine
File name:7DcshRRKyE3bON7.exe
Download: download sample
Signature NanoCore
File size:337'408 bytes
First seen:2020-06-30 13:13:12 UTC
Last seen:2020-07-06 07:03:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:bBBWUCt60fvNo0/HrX7xlvN0HshnpP285aIoOODr:bBBWUCtLvNoGbdlvnnpusG
TLSH DF74023363B85F16D2FA97B910B1A5210F76A8133E24D65DADA860CE1D73B944B12F33
Reporter @abuse_ch
Tags:exe NanoCore nVpn Outlook RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: NAM11-DM6-obe.outbound.protection.outlook.com
Sending IP: 40.92.19.32
From: susana_figueirinha@hotmail.com
Reply-To: vojtech.tydlacka@yandex.com
Subject: Early July Supply order request..
Attachment: SotaiyoGroup-RFQ20200701.xz (contains "7DcshRRKyE3bON7.exe")

NanoCore RAT C2:
nobiwideget.dvrdns.org:54001 (5.206.224.136)

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 2
# of downloads 30
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/17200/
ClamAV SecuriteInfo.com.Generic-EXE.UNOFFICIAL
CERT.PL MWDB Detection:nanocore
Link: https://mwdb.cert.pl/sample/6ece00da69537d12d933cfc710ef0be2f76ee8d39c111ba1726bd47c8fb8acb1/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Agensla
First seen:2020-06-30 09:40:36 UTC
AV detection:23 of 31 (74.19%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:nanocore
Link: https://tria.ge/reports/200630-ck6p79dswx/
Tags:evasion trojan keylogger stealer spyware family:nanocore persistence
Config extraction:nobiwideget.dvrdns.org:54001
VirusTotal:Virustotal results 12.33%

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 6ece00da69537d12d933cfc710ef0be2f76ee8d39c111ba1726bd47c8fb8acb1

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments