MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73db44bf103e307704faafe310253e8b810593856abf4e92295f68f47532742c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: 73db44bf103e307704faafe310253e8b810593856abf4e92295f68f47532742c
SHA3-384 hash: 4fec9c4a0781d5b2426c858e60e184cbf4896a7f8292901d7b8c94e179c7dfdb5fcea9bb274cae601f8124c2181d1de4
SHA1 hash: ba5a8d25cfdf61ff29cf454f755bb41257f2ce8c
MD5 hash: 014735a6200ec62f9256bc62f3f06b5a
humanhash: edward-delta-nine-william
File name:Invoice.exe
Download: download sample
Signature NanoCore
File size:1'317'888 bytes
First seen:2020-06-18 16:09:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091
ssdeep 24576:stb20pkaCqT5TBWgNQ7aBJedNU6UWSmrH9VktBY6A:VVg5tQ7aBeNOWDJVkc5
TLSH 4B55BE1263DD8361C3BE52737A15B7416EBBFC2506A0B47B2FE4C93CA9201215E1E66F
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: zimbra.fcjcorp.com
Sending IP: 54.158.42.8
From: Accounts Administrator <pedro.henrique@medbeta.com.br>
Reply-To: noreply@accounts.com
Subject: Pending Invoice
Attachment: Invoice.img (contains "Invoice.exe")

NanoCore RAT C2:
u852117.nvpn.to:5638 (194.5.97.44)

Pointing to nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.97.0 - 194.5.97.255
netname: Privacy_Online
remarks: ------------------------------------------------------------------------
remarks: This prefix is used by a non-logging VPN service provider.
remarks: We don't log any user activities.
remarks: We don't host anything else on our servers than VPN software (OpenVPN,
remarks: IKEv1 & 2, WireGuard ...).
remarks: Our customers can open up to 8 Ports (TCP & UDP).
remarks: We support the Tor Project: https://www.torproject.org
remarks: Before sending us potential complaints, please read:
remarks: https://www.torservers.net/abuse.html
remarks:
remarks: We are under constant pressure by Spamhaus.
remarks: Spamhaus issues tons of fake SBL listings in order to destroy our service.
remarks: They use fake identities, violate EU laws and hide outside the EU in
remarks: Andorra to avoid legal consequences.
remarks: Please don't trust this organization.
remarks: If you have any questions related to our service, please contact us
remarks: directly via e-mail: support@inter-cloud.tech
remarks:
remarks: Thank you.
remarks: ------------------------------------------------------------------------
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
country: RU
status: SUB-ALLOCATED PA
mnt-by: inter-cloud-mnt
created: 2018-07-23T09:31:45Z
last-modified: 2020-03-10T21:27:32Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
37
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Predator
Status:
Malicious
First seen:
2020-06-18 16:36:06 UTC
AV detection:
25 of 31 (80.65%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
NanoCore
Malware Config
Extraction:
u852117.nvpn.to:5638

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

fcf12b15fa2e6738a0f5829d074a1611

NanoCore

Executable exe 73db44bf103e307704faafe310253e8b810593856abf4e92295f68f47532742c

(this sample)

  
Dropped by
MD5 fcf12b15fa2e6738a0f5829d074a1611
  
Delivery method
Distributed via e-mail attachment

Comments