MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19
SHA3-384 hash: 9853caaad02031dce8f8cf9f6d45746eba81fc3f03e50bb59eb717fa0e99e26243b4c0563a52cb61ce3f0d232f734afd
SHA1 hash: 71ca9deefc3a678bf7fde895978ff5ff5a67691a
MD5 hash: 82c01db6ccaa1c602b77c59b3ed64d71
humanhash: seven-robert-social-green
File name:IePZajh9fm9DACV.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:370'688 bytes
First seen:2020-06-30 05:27:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:f4u8Lx5ggJec3PZEemlbtPsuh2eOBlf1J9ZcDCVmUoWlIxfT9Tl:f4u8d5gKec/ZVmZVV2e2vCWVTHo
Threatray 1'148 similar samples on MalwareBazaar
TLSH CB74E018372D6837CEAC05F64482654007F5A2E23993F3D99DCDB0E826D6BDD1F12AA7
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: p3plwbeout14-06.prod.phx3.secureserver.net
Sending IP: 173.201.192.192
From: Gordon O'brien <Gordon.Obrien@g-obrien.co.uk>
Reply-To: Gordon O'brien <markhilton@blueyonder.co.uk>
Subject: L65190MH2004GOI148838
Attachment: IePZajh9fm9DACV.iso (contains "IePZajh9fm9DACV.exe")

NanoCore RAT C2:
u870797.nvpn.to:3119 (185.244.29.158)

Pointing to nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16767/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-30 01:41:03 UTC
AV detection:
25 of 30 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ocr6gbaoi44ymkmvpy2raa4a332bwgvvwswhhz3xaunw5bogbmmq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
093313195ab55c462e616e41f5b20e0f876d69e1941d34cd05302c82d8eb20e7
NanoCore
11e8dbf88b15aa6f09d5f7d9fffd3f333ec9a84b6bb9b9bb8c69dad6f5890603
NanoCore
140902e2a23240a35b3e72be9c0878d18c2a7b4780feab213cbcc03156804c05
NanoCore
6163f1bf34c821d55a7e532009adc95ba921b28578a58336e5b01f6c09d4dad4
NanoCore
af7b5b39405065f105a0bf0f53578061adcd58a5861bb38827dd0f62df4f57ed
NanoCore
b2e9a56a20c71306ae8965955dfa780b868c5766f3ebb2f8e4c816a305711cdd
NanoCore
e847719a98762bcf7422064186c2cdbb2f58000622448c3adcb6769b7cfbea68
NanoCore
ec89b2b660ea42254a90f3b045dc98bfe6d1733878bd39a2a7030d68de169859
NanoCore
f0fa2d366b28cfa858d00232f1073be3dbea215480c630a6489b38acdbb7af83
NanoCore
f9155082e1d12e318287a25bb73036feab7c75b7f0c3c1c30f457cbecaf9763a
NanoCore
+ 1'138 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore evasion
Link:
https://tria.ge/reports/200630-x3w19ngbfx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
u870797.nvpn.to:3119
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso c91d163d1956328bc15bc44ab57f8f473f97937dea1360b696ebc23d5a30c1c5

NanoCore

Executable exe 70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19

(this sample)

  
Dropped by
MD5 774d06d4ae1b55c173a8ca99fad177c6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/16767/
  
Dropped by
SHA256 c91d163d1956328bc15bc44ab57f8f473f97937dea1360b696ebc23d5a30c1c5

Comments