MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c71aca391fbd24fb5400cbc0cea7bfc424dfac861cbfebbac25393e8b21bbf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c71aca391fbd24fb5400cbc0cea7bfc424dfac861cbfebbac25393e8b21bbf4
SHA3-384 hash: b0838bf9183997b7506a28a956c3e32bdc1c28712471bbdcf5b352815c42a6ecc5292901a707f4285c2b3cf8bb598e51
SHA1 hash: 7000e9cff7196d30c9a371f89b1fc90530c49953
MD5 hash: d8a701f0eb40bb760398aa2712b1996b
humanhash: angel-ceiling-spring-johnny
File name:Folha de dados de cotação para nossa empresa doc.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:681'984 bytes
First seen:2020-07-09 07:55:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:pt+iwv3O5DVZ03zZN+YvUN6Anzek8zRaz8/bLtN4acTaulCSRO6I/Gop:pt4ChZQzZkYUzezzgqNN4LTESRA/Gop
Threatray 2'086 similar samples on MalwareBazaar
TLSH CAE4E03573908E12C77B4F76997150008FB0BD6B6957F39FAEC4219E18DBB948902B27
Reporter abuse_ch
Tags:exe geo NanoCore nVpn PRT RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: dedicated.fco.pt
Sending IP: 151.236.46.67
From: João Marques <geral@bidakis.com>
Subject: RE: Cotação - Transitex
Attachment: Folha de dados de cotação para nossa empresa doc.arj (contains "Folha de dados de cotação para nossa empresa doc.exe")

NanoCore RAT C2:
24thmatch2020.duckdns.org:5626 (194.5.98.28)

Pointing to nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.98.0 - 194.5.98.255
netname: Privacy_Online
descr: Longyearbyen, Svalbard und Jan Mayen
country: SJ
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-04-26T16:42:54Z
last-modified: 2020-03-13T23:11:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23555/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.378.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c71aca391fbd24fb5400cbc0cea7bfc424dfac861cbfebbac25393e8b21bbf4/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-07-08 17:27:29 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rry2zi4r7pje7nkabs6az2t37rbe36wimhf75o5meu4t5czbxp2a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
118526be5d5274a41815a7eca29e751da7378908acea6bb29dcf21460a74c5e1
NanoCore
1bd16b971407f4aeb31f7eb8392b2299b22cc8e1778a8c770e7ac4c0150681e8
NanoCore
2fd9f9784c8b9678b08dcb94886985fa7835d0135ea12689082e0bf604c19bbb
NanoCore
306f60a415f3935c8eb3e3d13fa6957f8ab8161e0818fc93850d54f0f69d0b3f
NanoCore
6343bc22fcb1a909e908ca7c0fa90d34e09f669dbd72a69e75ff8af7a9d217eb
NanoCore
74c74bc92e1e2b1fbec04160533ddc46adfd8e2f691295ad4a08cbd83e01adc7
NanoCore
832782af8ac7a682f48d5a00f549a5474d6b2524386c8826eae41982db8597c3
NanoCore
a485d30d6c6bb72943cce9397693d1246e58b468674848c8c59e75a238b2515e
NanoCore
bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57
NanoCore
e4efbdcde8db7352bdf2cb15677d4dea605e29e8fbcaf77f4aa0bd4d6a089117
NanoCore
+ 2'076 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/200709-tqtw23swzx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NanoCore
Malware Config
C2 Extraction:
24thmatch2020.duckdns.org:5626
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj 4af550932dd1985fffb6ac7902d54d610aba19265cacd6ed26785aa292e4f01a

NanoCore

Executable exe 8c71aca391fbd24fb5400cbc0cea7bfc424dfac861cbfebbac25393e8b21bbf4

(this sample)

  
Dropped by
MD5 d3c15d3d04162814e8689487cfd29933
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23555/
  
Dropped by
SHA256 4af550932dd1985fffb6ac7902d54d610aba19265cacd6ed26785aa292e4f01a

Comments