MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8caedefa8cf9273522057503dc8c9cabeaea4eb113a612040f1da56f8d85dbbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara 5 Comments

SHA256 hash: 8caedefa8cf9273522057503dc8c9cabeaea4eb113a612040f1da56f8d85dbbf
SHA3-384 hash: 91ce93bdd49d9355ffbbfd0875b6c5ab3089c934805a6c193528ff673f493ea8d806a690c5372a2fbf39e08589abcbe8
SHA1 hash: 8cf0ce1460e29066fc816c9d5b03cd6134a8ec70
MD5 hash: ed370a632a9d033970d7707c9f80f355
humanhash: idaho-early-helium-purple
File name:20200630,pdf.exe
Download: download sample
Signature NanoCore
File size:316'416 bytes
First seen:2020-06-30 16:32:27 UTC
Last seen:2020-06-30 17:57:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:GIRFKz+3ifeCPoyOxKn0zdib0uBlWEvHD1iPDRgD:JRYz+3iFZnr4uBYEpiPDR
TLSH 6364F159B7D8C31FD6DFB3BAF20682528B71D2C72483EFC7295851A4280B7D569013BA
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: 94-100-28-228.static.hvvc.us
Sending IP: 94.100.28.228
From: sales@varanakis.com <sales@varanakis.com>
Subject: Νέα παραγγελία 30.06.2020
Attachment: 20200630,pdf.iso (contains "20200630,pdf.exe")

NanoCore RAT C2:
billionaire.ddns.net:3734 (79.134.225.122)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 2
# of downloads 33
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/17470/
ClamAV SecuriteInfo.com.MSIL.Kryptik.WOX.509.UNOFFICIAL
CERT.PL MWDB Detection:nanocore
Link: https://mwdb.cert.pl/sample/8caedefa8cf9273522057503dc8c9cabeaea4eb113a612040f1da56f8d85dbbf/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Kryptik
First seen:2020-06-30 16:34:05 UTC
AV detection:21 of 31 (67.74%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:nanocore
Link: https://tria.ge/reports/200630-9mplfq8ehe/
Tags:evasion trojan keylogger stealer spyware family:nanocore
Config extraction:billionaire.ddns.net:3734
VirusTotal:Virustotal results 32.88%

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

40305ec57df94e141db607c94c047059

NanoCore

Executable exe 8caedefa8cf9273522057503dc8c9cabeaea4eb113a612040f1da56f8d85dbbf

(this sample)

  
Dropped by
MD5 40305ec57df94e141db607c94c047059
  
Delivery method
Distributed via e-mail attachment

Comments