MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88ae38556e157d0f34780d0764240a8f5be7c503b4c4c173403cd2be59cd2916. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	88ae38556e157d0f34780d0764240a8f5be7c503b4c4c173403cd2be59cd2916
SHA3-384 hash:	83869af027a6c0c856c2db3932f989fc200ab036d388b770411d1533638e28617c804bd566b0041d72ed715e14efd45f
SHA1 hash:	9e1e57a84e767c961a594c50e96e2a5bb54476b3
MD5 hash:	89a64121b5d4ea97749693c55dc486af
humanhash:	fanta-march-red-robin
File name:	ups.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	368'128 bytes
First seen:	2020-04-03 05:04:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:3IKmHyEPEoNv1MW0xSZiV3Ihd2JgKVJYLG8M559lLmjWDtO93UrwjhH9V:pmHlMdUioHGXCjGtOur89
Threatray	1'196 similar samples on MalwareBazaar
TLSH	2C749E3561EB1157D772F7B30BD8ACAE9699B273220BF53931C217C68722902DAC2375
Reporter	jarumlus
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Rogue.0hr.20200402-2304.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-03 05:35:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rcxdqvlocv6q6ndybudwijakr5n6pridwtcmc42ahtjl4wonfela._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

24683ff5c436b2b56e96268ba4c591e8f80e9995623a0a1f6e6c7adf5bd2a62c

NanoCore

2a9cf930b5e11dee35842ff73179a0467f820a95e23560d774f7ea05111de351

NanoCore

2f0bab188c5eb456ce6af0e1f9b395ff94dca39d47fa4a61c021a53e1be39a7c

NanoCore

394674b4e655b4c844746da331510aecd02162402ee5a267eda539753eebd5e9

NanoCore

6f8b5cad56d107434291b260c5483479d0ac1d02498d5bfad7468a02dc7fc19d

NanoCore

819b7cdae5437e09dddc2263080df829d2e8ba725f4364bfddf0cd10eb848692

NanoCore

e3cfd3d090923b878c13c989b6b7c65e8ee788b70dcce22db4f6798754082eef

NanoCore

ed544c300a04ddf77c6537f3cb78177f12c9a23e62d06189a19eee966caf9631

NanoCore

f5ccc5ce755b5273935290c41751582654c3f4783c07df8cf91dd783cd3afc1b

NanoCore

+ 1'186 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample