MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92632fa88b730e2593837c7d51884384dcf8c887fd4b8d3cc6741d12ae9cd347. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92632fa88b730e2593837c7d51884384dcf8c887fd4b8d3cc6741d12ae9cd347
SHA3-384 hash: aa35c3e34487796583e6a0f31a86c21f0b5df6a19c9af328946382e4bc16b1a623c04e593ce4222ce023c7c6b9417dce
SHA1 hash: 94f70ec4e76596891004df0b15c74fae9cf7dc46
MD5 hash: a92763d7bd4453551647dd2df4c40b65
humanhash: orange-avocado-juliet-bulldog
File name:Investigations document Islamic Republic of Iran doc.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:404'480 bytes
First seen:2020-05-03 08:09:33 UTC
Last seen:2020-05-03 08:49:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:wChu/4OPPpFmDbUEOP62KENhAs9gMEUWk8LF9aE894FAGrvyZ+BwCPk1TY98cBfm:wwuVP+Db5OC2KaSpD5U2TrKZ+BwCbuk
Threatray 1'097 similar samples on MalwareBazaar
TLSH 2884C02439FE862FF27F5F74E9D82062EB69E2B37603E31A459103464E13B52DE4521B
Reporter abuse_ch
Tags:exe geo IRN NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: dharmajaya.co.id
Sending IP: 103.113.170.147
From: دفتر مرکزی پلیس ملی <invitations@posta.hu>
Subject: Fwd:Re:Re:Re:دعوت نهایی نیروی انتظامی ایران.
Attachment: Investigations document Islamic Republic of Iran doc.arj (contains "Investigations document Islamic Republic of Iran doc.exe")

NanoCore RAT C2:
atiku2.duckdns.org:5626 (185.244.30.6)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@FOS-VPN.org'

inetnum: 185.244.30.0 - 185.244.30.255
netname: Freedom_Of_Speech_Foundation_Hungary
remarks: Budapest, Hungary
country: HU
org: ORG-FOSF3-RIPE
admin-c: FOSF1-RIPE
tech-c: FOSF1-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-04-06T19:58:39Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Fonctuzim.1.17666.7323.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 00:20:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjrs7kelomhcle4dpr6vdccdqtoprseh7vfy2pggoqorflu42ndq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
147e92a20eaa350aef112cd3110af132aa9667af4e8eb90d345d4b7da8cea95c
NanoCore
286add28a79440668077a7d762ee81ee169f1c08daa27bc680dbf8c8832d2785
NanoCore
4c886afcf091e440b12ade502e4b8dcd2e9995cb2c10d7c0f8fd16e736d6fca6
NanoCore
713c780c42db40b3456b797e578c889f19a915441a428277aaa8235dfecd0142
NanoCore
81783c63ad44bdb77b3db79ec3cafb33222395e89d765c4ffbab36ea6b9c96eb
NanoCore
b26960e8083466e40ebbfcc6dfe93c4080a516d6260e1a2900ce7649fc44442e
NanoCore
b2bccd13743ac9153a8b731af82d6b19fa7395dd16596a3b5f783f1092419c3a
NanoCore
bcaf5698e3d5291c284e0ea40deec27e69c4942049f1c90a4e334e066485dfa9
NanoCore
c068b1a7379f95ee883cd4ed9639bb2b28c380934f3bc0e0c7be97ad808c7b8a
NanoCore
c315112980543e9046f7b3167586d3a5ba25734aac85679542adaca7867f3ef7
NanoCore
+ 1'087 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj 45e510c900497d9403675054fdf57d4da0c0223a22fc9e843b273c8798de364d

NanoCore

Executable exe 92632fa88b730e2593837c7d51884384dcf8c887fd4b8d3cc6741d12ae9cd347

(this sample)

  
Dropped by
MD5 1cb86c104be18b418294800ba5224e0b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 45e510c900497d9403675054fdf57d4da0c0223a22fc9e843b273c8798de364d

Comments