MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7795d2106023220b5e106b1e05815e7818d66189c01d4bc927767008fccdc6d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7795d2106023220b5e106b1e05815e7818d66189c01d4bc927767008fccdc6d2
SHA3-384 hash: 87f48a81d3bded2db98f0d13017e6142043ada38e53055555c190a7b21dfcc4a1bd88572741246d0c9c5c5eaeb48a341
SHA1 hash: 56d2b07aa04e217732e3e11a2dbb89ac5e0cf7c2
MD5 hash: 866a81d430acbc8a4f59b6ff861add9c
humanhash: florida-network-lima-aspen
File name:Quotation-20200614-024142914208136738390-43910160182012224297.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:372'736 bytes
First seen:2020-06-15 13:37:22 UTC
Last seen:2020-06-16 09:35:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:bwdKAXRg6jh6fXkZx6aoJCjDqbJupc8WXsezc0bkXqXDePS/Ckjhdpt3TX0MEY:UKAOJax6aS0pSJc0bpya/C+dpVEMt
Threatray 1'161 similar samples on MalwareBazaar
TLSH AE84F180366A9B12C5BD4BFD38BC514507B9B757E827D71D2CC1A2DD1AB2B8C0A1378B
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: smtphy.263.net
Sending IP: 54.255.195.220
From: Lucy Lawson <feedback@hsgeneral.net>
Subject: Quotation-20200614-0241
Attachment: Quotation-20200614-0241.xz (contains "Quotation-20200614-024142914208136738390-43910160182012224297.exe")

NanoCore RAT C2:
185.19.85.150:54085


% Information related to '185.19.84.0 - 185.19.85.255'

% Abuse contact for '185.19.84.0 - 185.19.85.255' is 'abuse@datawire.ch'

inetnum: 185.19.84.0 - 185.19.85.255
netname: DATAWIRE-DATACENTERS
descr: CUSTOMERS ZG01
country: CH
admin-c: DA4314-RIPE
tech-c: DA4314-RIPE
status: ASSIGNED PA
mnt-by: DATAWIRE-NOC
created: 2013-09-23T14:18:55Z
last-modified: 2013-09-23T14:18:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10459/
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 13:39:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6k5eedaemrawxqqnmpalak6pamnmymjyaouxsjhozyar7gny3ja._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
115ac22b81d02e9b30179404484045af66fe01218a17cad538fa3f6d66819f39
NanoCore
4fe72699119a25e2d936a92d07abce418b9a0b91d742de5e21b005ffa82bba2b
NanoCore
83b70b20d0cdb13e9c420723ba5f025827d21e0c051c6e64b5553a5c372c3374
NanoCore
91966b77a6acc2fd64c773d8797a505c40ecd272ebb4b44a5757990b5e4939c5
NanoCore
b40b7bfd1fa04e5b9cc6dfc143c49fce45a9d1c1c7cb4e0726030e97d321937a
NanoCore
c1e95a6f558510abc5490b3c48c42b49b999d45ad187691c84d9d06473a16e7a
NanoCore
cb5eb4758a41046a2f3fc084731d756aedf8ea212dc08c9bb2e6cd7f5eff6cae
NanoCore
d2dbd686e32057f85bd87cd34af193f3ebf6e6f99de996da2a8dcc533d9ad19f
NanoCore
ea4115e347193aa868162072e3db30d9652650aa2915726aa83d91beb202b9bb
NanoCore
fadcffc72696cb639334be446d2aeb90743b270276f48b730efbb59b73505a85
NanoCore
+ 1'151 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-z1xtt9l6wa/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Contains code to disable Windows Defender
NanoCore
Malware Config
C2 Extraction:
185.19.85.150:54085
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

xz ba62a4d2168c779f94d423e7c18adb811a4aed11d82efbd7f647a14035b92e03

NanoCore

Executable exe 7795d2106023220b5e106b1e05815e7818d66189c01d4bc927767008fccdc6d2

(this sample)

  
Dropped by
MD5 a40b2fa617bb3940c15b9da27d3e3796
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ba62a4d2168c779f94d423e7c18adb811a4aed11d82efbd7f647a14035b92e03
Cape
Cape
https://www.capesandbox.com/analysis/10459/

Comments