MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 924f538f64249aaaf38b2e61949ec730a080ffd12f5c1e9ab1b396c63697034c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	924f538f64249aaaf38b2e61949ec730a080ffd12f5c1e9ab1b396c63697034c
SHA3-384 hash:	a4a7a129e7f8c011eefb40bb8d7a36ca0c42ac4c982427bdffa3c15c5e371eee9746cb05abf28da17b25f35ac0c46de9
SHA1 hash:	5ea897b0b0c554a2b0f0eb5efca70e747ede9087
MD5 hash:	f34eb4740ef0881855c2da2ccfd30282
humanhash:	kilo-skylark-wolfram-romeo
File name:	order.r11
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	373'248 bytes
First seen:	2020-05-19 06:54:32 UTC
Last seen:	2020-05-19 08:05:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:99HQQvOrlpteo/G+D+hCLIP/Sp6R9kJ+VTUB/RzBcAe805guvWgCd:3Q+nv+DaZR9S+VIB/Rtcd80VBO
Threatray	1'117 similar samples on MalwareBazaar
TLSH	DE84F10133E95F2AC57D57F82A74D14053B67A672AB2F30D8EF8A0CE2927F414622B57
Reporter	abuse_ch
Tags:	NanoCore nVpn r11 RAT

abuse_ch

Malspam distributing NanoCore:

HELO: vps.yidagnp.com
Sending IP: 45.95.169.73
From: KAREN JINHAI <info@yidagnp.com>
Subject: Re: order
Attachment: order.r11

NanoCore RAT C2:
185.244.29.128:9995

Hosted on nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.47097.6114.13590.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Nanobot

Status:

Malicious

First seen:

2020-05-19 03:56:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sjhvhd3eesnkv44lfzqzjhwhgcqib76rf5ob5gvrwolmmnuxanga._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

1793f187d699d6b5eac0451dc8740943f1622a4ce989e7d8d03fef4976564b1b

NanoCore

1b4dea59e406d410a3d0d1ea8245c339fa8f5eb925f1378a09b0ee812c06508e

NanoCore

2435735bff63b11f82baaafe0737904c936b420f5145d01609a0a0d8c8ce70c9

NanoCore

5832c5ab1d0aedc5c36d6f3146826dd3570c8b7c8434120dfc1972631e54f533

NanoCore

79a191033da8c7040b19ef97042dcef88669f15b784d881cbb5b8ace51cf26ce

NanoCore

ba123e2be2891c5decb58c5f87b722e363a86679d7823bc01f93cf58f1c8973a

NanoCore

ca6c6262134182f4bc6367855eaf6a390bf9f3a1b95e7238f3480dfe8baf50db

NanoCore

e175e145798e6df1589d68158a2e5d87516dc6b0f4c3bd12c83f754555bebf61

NanoCore

f08298a99f513fd7423bdf091d495a72b4aeae206061302e2cb67e9e9c7b8202

NanoCore

+ 1'107 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201109-ngm4q96c9j/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

NanoCore

Malware Config

C2 Extraction:

185.244.29.128:9995
127.0.0.1:9995

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

exe 924f538f64249aaaf38b2e61949ec730a080ffd12f5c1e9ab1b396c63697034c

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample