MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 713c780c42db40b3456b797e578c889f19a915441a428277aaa8235dfecd0142. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 713c780c42db40b3456b797e578c889f19a915441a428277aaa8235dfecd0142
SHA3-384 hash: 769229f6baa6c862fcbe3c74612472f9405292f4c8475f353868c38be0b563e577323003d4d04b8495d3a4fe9567c6ec
SHA1 hash: 4194f65b0166ff63b250141949e5540c269ef51f
MD5 hash: c42ee85b50ff14e27eec730278d34b89
humanhash: georgia-uncle-four-aspen
File name:5042020 doc.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:400'896 bytes
First seen:2020-05-03 12:32:20 UTC
Last seen:2020-05-03 13:49:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:jKLuiSuRvJT0/FRuwDtMjNm8QGqYI8Iqs6UF7WTcfqewc8zxN2l5OCm:jmuW50/zupSD8IqzUFKTcFz8FN8
Threatray 1'086 similar samples on MalwareBazaar
TLSH E884CF642DFA462FF27F5FB4AAC43051EB69F2B37603E71B459103428E12B528E8512B
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: thsv25.hostatom.com
Sending IP: 103.80.48.25
From: پلیس ملی عربستان سعودی <info@diinak.com>
Subject: Fwd: Re: Re: Re: دعوت نهایی پلیس پادشاهی.
Attachment: 5042020 doc.r22 (contains "5042020 doc.exe")

NanoCore RAT C2:
atiku2.duckdns.org:5626 (185.244.30.6)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@FOS-VPN.org'

inetnum: 185.244.30.0 - 185.244.30.255
netname: Freedom_Of_Speech_Foundation_Hungary
remarks: Budapest, Hungary
country: HU
org: ORG-FOSF3-RIPE
admin-c: FOSF1-RIPE
tech-c: FOSF1-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-04-06T19:58:39Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Fonctuzim.1.8191.9697.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-03 12:55:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oe6hqdcc3nalgrllpf7fpdeit4m2sfkedjbie55kvarv37wnafba._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34
NanoCore
5d37ea9d96ae208d4df3961643780b97016cf055128483ae287ad86616cbea45
NanoCore
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
NanoCore
92632fa88b730e2593837c7d51884384dcf8c887fd4b8d3cc6741d12ae9cd347
NanoCore
9c62e75f2dc168671bddfe8cad2b102197c10d9039d8917a7637585ff603dbdd
NanoCore
9fc240db7a0cd883c35e2cbfc6e8dcb2bb3921514dbce65aef46711de4a06a6a
NanoCore
c068b1a7379f95ee883cd4ed9639bb2b28c380934f3bc0e0c7be97ad808c7b8a
NanoCore
ddf157853be3dbebba9eea0db9815017a0c7d8dded210a5c291d7b0ccd2fd2be
NanoCore
e29e9d9beb5ce8187decf038cdc0b1d3102b4cfe43715a3b4f934098a943ebed
NanoCore
ed6ea055c622adab41b5eba73b4d556c4c843b9e77e21933297ca0ce972ce5c4
NanoCore
+ 1'076 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar d123009856086441be193cc441a4d7a5ded22d10c160a2753f3a0a1163b93898

NanoCore

Executable exe 713c780c42db40b3456b797e578c889f19a915441a428277aaa8235dfecd0142

(this sample)

  
Dropped by
MD5 1282c5c8f6cd09648c618f4f783158b5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d123009856086441be193cc441a4d7a5ded22d10c160a2753f3a0a1163b93898

Comments