MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cb987616a272b3f90faa060b9671d72cdb3c2fecd398b9c50fac1449379282b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	7cb987616a272b3f90faa060b9671d72cdb3c2fecd398b9c50fac1449379282b
SHA3-384 hash:	888098fc3ce497e030392cbc4a3c50d06d520ec189a3c233b67e173561cb24a5fb197640b0de34e221e4af9f4155fe56
SHA1 hash:	8559942649a1459bcaa942a84da2aa31ec7cd187
MD5 hash:	786f3e12cbb8ed1bb222f289edd2bb25
humanhash:	lion-bulldog-october-single
File name:	7cb987616a272b3f90faa060b9671d72cdb3c2fecd398b9c50fac1449379282b
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	761'860 bytes
First seen:	2020-06-29 07:20:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	12288:xQnk3GDYKGcblOfIY88GGtc4xFfGoUXJhgVMJ0+3s1:bAOcZOwYNGEVxgoU5hFJ0+34
Threatray	1'307 similar samples on MalwareBazaar
TLSH	A8F4E101B6C184B1D5B239365E39D7316B3C7D201E24DA1FB7E43D6FBA781926224BA3
Reporter	JAMESWT_WT
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

1

# of downloads :

66

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/15546/

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7cb987616a272b3f90faa060b9671d72cdb3c2fecd398b9c50fac1449379282b/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2020-06-25 16:29:14 UTC

File Type:

PE (Exe)

Extracted files:

40

AV detection:

25 of 48 (52.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ps4yoylke4vt7eh2ubqlszy5olg3hqx6zu4yxhcq7lauje3zfavq._file

Verdict:

malicious

Label(s):

nanocorerat

Similar samples:

076dfc0a55afc36cdfd6dff84cfd0feae23029843e745b7f122980b341f7b710

1678611ad4996f718c0a8998ce194dfe117bf47529c4ccad51a6816ecf4f1bb4

1acf4f64dbce46e70553494cf02959634528477066cc736e3f49df3bb6253923

1bf1041ceb0ca8999ab06220a4d1fd4ae389860ddf8687dab297c9940b40236e

2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279

68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345

6b9fc5c25a2b8fdb0b218dbc96f51d59dbf5c486d2bfc39eed32660f3c238bc8

c4b40854b0d96e0967c64ee0f80d41222d57029ec9e3e4b72f4232291879caad

e34ce3660cbabe945aadb571016cbd7e73ca4a7baa6e9cd64a3615b6474ccdc8

f9e386914a47b738dcfe89fadf3021be00c2dfe8824d8326ea79fcd79d3673cc

+ 1'297 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

keylogger trojan stealer spyware family:nanocore persistence evasion

Link:

https://tria.ge/reports/200629-6j7qd7xqrn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Drops file in Program Files directory

Checks whether UAC is enabled

Adds Run entry to start application

Loads dropped DLL

Executes dropped EXE

NanoCore

Malware Config

C2 Extraction:

ratlt2.ddns.net:1604

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/15546/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample