MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: 70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19
SHA3-384 hash: 9853caaad02031dce8f8cf9f6d45746eba81fc3f03e50bb59eb717fa0e99e26243b4c0563a52cb61ce3f0d232f734afd
SHA1 hash: 71ca9deefc3a678bf7fde895978ff5ff5a67691a
MD5 hash: 82c01db6ccaa1c602b77c59b3ed64d71
humanhash: seven-robert-social-green
File name:IePZajh9fm9DACV.exe
Download: download sample
Signature NanoCore
File size:370'688 bytes
First seen:2020-06-30 05:27:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:f4u8Lx5ggJec3PZEemlbtPsuh2eOBlf1J9ZcDCVmUoWlIxfT9Tl:f4u8d5gKec/ZVmZVV2e2vCWVTHo
TLSH CB74E018372D6837CEAC05F64482654007F5A2E23993F3D99DCDB0E826D6BDD1F12AA7
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: p3plwbeout14-06.prod.phx3.secureserver.net
Sending IP: 173.201.192.192
From: Gordon O'brien <Gordon.Obrien@g-obrien.co.uk>
Reply-To: Gordon O'brien <markhilton@blueyonder.co.uk>
Subject: L65190MH2004GOI148838
Attachment: IePZajh9fm9DACV.iso (contains "IePZajh9fm9DACV.exe")

NanoCore RAT C2:
u870797.nvpn.to:3119 (185.244.29.158)

Pointing to nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
36
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2020-06-30 01:41:03 UTC
AV detection:
25 of 30 (83.33%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore evasion
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
Extraction:
u870797.nvpn.to:3119

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments