MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dc4350314df19805239dc179bd1d1ef2745ade6b8c2de0e392fbb3595db2433. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dc4350314df19805239dc179bd1d1ef2745ade6b8c2de0e392fbb3595db2433
SHA3-384 hash: 0d7f4e0bf977b167adc51c58d36b083f7d2e36cab1f10b87322444aa6fb5baa241f690933feebf1f828b6e5155bbc820
SHA1 hash: 6d0a97b5e7641c61de56e3b0b361f457f906414e
MD5 hash: 86123e94c81dd3a23e588e7b0b3116b9
humanhash: texas-steak-march-september
File name:QUOTATION.pdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:694'272 bytes
First seen:2020-06-16 11:16:23 UTC
Last seen:2020-06-17 09:17:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b7b5ab2d2e3c38731ec072a73a113374 (11 x AgentTesla, 4 x NanoCore, 3 x HawkEye)
ssdeep 12288:Tr5NlaFRMb7GKWWUxDz/xTT8Hc0jcnsREEDEaaqd0gDfTqFWxHc:XL+Mb7hUhZqc0jcsGEDc+DL+Qc
Threatray 3'216 similar samples on MalwareBazaar
TLSH 7FE49E22E1A047F7C11215BFBD0BB67898AAB9DD291827467BE4DC489F3D341F727182
Reporter jarumlus
Tags:NanoCore

Intelligence

File Origin
# of uploads :
4
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/8329/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.CryptInjector
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 11:18:05 UTC
File Type:
PE (Exe)
Extracted files:
257
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxcdkayu34myaurz3qlzxuor54tullpgxdbn4drzf65tlfo3eqzq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
7dfd68770a471f5991cb5b91816584e1c8e6c764bd4d8655c2d752099c5ad057
NanoCore
7ff651aa9581a2cb706e1aeb7957f06a70a6718abd0a6449a039006e9eff06dc
NanoCore
87c615982865f3989839cf3e7c4eca736f6adf61db512210919208b91661e104
NanoCore
962065b4491c250095c940a86b942e170e3ed612ea289a03131e1fd350fa48c8
NanoCore
a14f4263c002e77e88fa98957e19288e2076ad78d83c2247617f1a209d55a7a7
NanoCore
bc9deb7c274339a0a8b594def58348a995b3d7af4764c796c365b683b7400aea
NanoCore
bd23c3a3d5215798a115525fe15803ee5f4393ae77d49e081770761beecb14ea
NanoCore
bf690b9b4ab2e0306b94b1a09431878786eb0fd6e858ac1f5d21c29a78b1f8d0
NanoCore
e41e433626e9dbf6c3a56c29c9dc60adfa53f71cd1c3bc10d682a1b2239c576d
NanoCore
f4dc1e741d3aef915ff984ff1346fc85ec3d37e9e89b275bb344e25c767751da
NanoCore
+ 3'206 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200624-8mp77stb52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Checks whether UAC is enabled
UPX packed file
NanoCore
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z f6464e275c3dcf0ad869c6bbba2a56c6af25259c9f93bfe5295563c73d7e74d9

NanoCore

Executable exe 7dc4350314df19805239dc179bd1d1ef2745ade6b8c2de0e392fbb3595db2433

(this sample)

  
Dropped by
MD5 2530f5617a440e035c0134c4c9a248a4
  
Dropped by
SHA256 f6464e275c3dcf0ad869c6bbba2a56c6af25259c9f93bfe5295563c73d7e74d9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/8329/

Comments