MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fdc8ad458c5b60a15774baef1acff96af05216b279754c5188c63ee542a82fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	6fdc8ad458c5b60a15774baef1acff96af05216b279754c5188c63ee542a82fe
SHA3-384 hash:	c24632c962ba8c94443e0c5d26af31b889ee724afafcba774839742e90fdeffa44bdd20eb978fd85f49d52957154261b
SHA1 hash:	96681298da539415e237de6b6c3aacca11387b5d
MD5 hash:	f09bdd7eae7bbb54c4fbe76c0fddd85c
humanhash:	social-princess-september-bulldog
File name:	nass.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	606'720 bytes
First seen:	2020-03-31 07:55:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:SA5ZPK+ydq2TlnN3awdbxlVZ2t9EbvHM5rRxNSagwxuqD/Z:SA5w+d2TlR1dbxDZ27EjW8VqD/Z
Threatray	1'242 similar samples on MalwareBazaar
TLSH	68D402017680C960D2946333D9D7D13217766C02DBE37253BAC47F877A7238FAA9B25A
Reporter	jarumlus
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.33581502.14923.11801.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-03-30 15:29:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=n7oivvcyyw3auflxjoxpdlh7s2xqkille6lvjriyrrr64vbkql7a._file

Verdict:

malicious

Label(s):

nanocorerat

agenttesla

NanoCore

0fb26042a8a31d0db10d1302875a6f44d5aa5dd369b309795172dc957eef5c4a

NanoCore

19cb38547f3fd2c587aea5193730165d1e0706324b79c9cd60c809a23d73497a

NanoCore

b021142c3c9575a16eb787ba56f17e01925370db0b3d24afa41145b83f8f094f

NanoCore

c21ee6cfa09a79362a7f3b03781a7f252d10b41da48dea433e06fe4a0df26eee

NanoCore

d0a8b39bc4bd58191a4b6db1a71621e7d9e2e124c05ad01922aafb9eba72205a

NanoCore

d0a9cde7ebed2daf4306e0e76a341e6c4293bf9904ed464f5bfcb462dc0999d0

NanoCore

e5e1d72cc6c9b97503fa2d43df4f1da20c97dd1803d86b0ae90312bac9cd0c04

NanoCore

f9614b985dcb06d9c40448e4ecf1a94ce2cd69e54f6acbeca7b6deec54aafdb3

NanoCore

fa8b5da63665ba268ec6923aa0bd26662e9dea318d80a7ab659065724c94868a

NanoCore

+ 1'232 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

exe 6fdc8ad458c5b60a15774baef1acff96af05216b279754c5188c63ee542a82fe

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/329293/

URLhaus

https://urlhaus.abuse.ch/url/332580/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample