MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b8b052e997171b0f6d09e387540b184e17f57ff8e3e4ea844840112d3e450ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	8b8b052e997171b0f6d09e387540b184e17f57ff8e3e4ea844840112d3e450ef
SHA3-384 hash:	6c26ffcf7f940b1fbef7504477d301a86fab683e429365579f29b4938f476bdcb2bc6a8741d9d41d3e2ac7db66d13e33
SHA1 hash:	510e75407766078a24ce75b73f0ba1861fd9b58b
MD5 hash:	455653675e1b496d6213414dcf8008f6
humanhash:	alanine-magnesium-hydrogen-hawaii
File name:	455653675e1b496d6213414dcf8008f6.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	383'488 bytes
First seen:	2020-05-22 14:10:04 UTC
Last seen:	2020-05-22 15:01:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:ECOkrnZ+F6RkduAAfqnapKpTuIrH7YRZgGsRYS98+byeAgX:hrSsAVAOTFrHcRs5rug
Threatray	1'146 similar samples on MalwareBazaar
TLSH	E384D008365D9537E57F9AF529E0A0A0C7B5A6263192E3EF4C93808905E1FC4CE52F7B
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

NanoCore RAT C2:
prime1.zapto.org:8885 (79.134.225.91)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.298.5525.3830.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-20 04:47:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

2/5

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

4f66be0f748eeb46f257297ae307e8b8925a9fd1774e0c69003d5fceb91d2dee

NanoCore

522eeb43150a93e0dd1308403baf27e10ca4042330e6405e87913683f3f6a67a

NanoCore

52bd5d7b847a16014d4efe0fae302a258e7fdae3c3fac133af3c2fc4a82a1004

NanoCore

8f88c71422c2790790dd50c3ff89fe3a5add4e1d55a83e50d6b445779d813796

NanoCore

abf941273866ba3ff5790c18f55e776554f75f846f1878b98c1e98ad25e94b9e

NanoCore

c3d6ba39975199cb83b15512473fcea21605ba24edb8e4fb7343ce476cbf82c2

NanoCore

c6160c54544837983276438a2b3d4782a52ae0fc604f4f65a8b16133f99ab16e

NanoCore

e3e3a0d4264a9b475696aba1bc5963c510560335c0399909c524fcaa5fcee4b5

NanoCore

ff8e7032093434b49d2b60c9e821c94a35f90fb81cc06e289ebf01ce52f5c6f2

NanoCore

+ 1'136 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-hyrdngngrx/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Malware Config

C2 Extraction:

prime1.zapto.org:8885

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample