MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 944b633d92799fe6aeefae5de7945b6b0b69020ed669d9d7e68ebd80868771e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 5 Comments

SHA256 hash: 944b633d92799fe6aeefae5de7945b6b0b69020ed669d9d7e68ebd80868771e6
SHA3-384 hash: d39cf9d8965f899372090e4d5e8f0c4dbbb09376b0b8b222e893ba74618593706de209fad65c2d3a9be64f46a37949b6
SHA1 hash: 920e2fadf1372cd0d0f0c5f086d18a7eda79587f
MD5 hash: 2b88bb3a1dc7d15f7ee00323f4d8f142
humanhash: beer-washington-three-seventeen
File name:USPS.exe
Download: download sample
Signature NanoCore
File size:1'313'792 bytes
First seen:2020-06-17 18:15:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091
ssdeep 24576:ntb20pkaCqT5TBWgNQ7acSi0NxuYCupJskuM6A:kVg5tQ7ac6xu7khf5
TLSH 6255AE12339D8261F27D61737A156701EE7BE8250361B4EB1FB68B3CAB131A1073A767
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT USPS


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: zimbra.fcjcorp.com
Sending IP: 54.158.42.8
From: USPS Dispatch <pedro.henrique@medbeta.com.br>
Reply-To: NOREPLY@USPS.COM
Subject: Pickup
Attachment: USPS.IMG (contains "USPS.exe")

NanoCore RAT C2:
u852121.nvpn.to:3410 (91.192.100.17)

Pointing to nVpn:

% Information related to '91.192.100.1 - 91.192.100.63'

% Abuse contact for '91.192.100.1 - 91.192.100.63' is 'abuse@libertas-international.eu'

inetnum: 91.192.100.1 - 91.192.100.63
netname: LIBERTAS_NETWORK
remarks: ----------------------------------------------
remarks: Libertas Network is a VPN service provider.
remarks: We have a strict non-logging policy, therefore
remarks: we don't record any logs on our servers.
remarks: ----------------------------------------------
country: CH
admin-c: LNAD1-RIPE
org: ORG-LNVS1-RIPE
tech-c: LNAD1-RIPE
status: ASSIGNED PA
mnt-by: MNT-DA327
created: 2019-12-12T08:51:11Z
last-modified: 2020-02-10T07:01:46Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
38
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Predator
Status:
Malicious
First seen:
2020-06-17 18:36:24 UTC
AV detection:
26 of 31 (83.87%)
Threat level
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
NanoCore
Malware Config
Extraction:
u852121.nvpn.to:3410

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 944b633d92799fe6aeefae5de7945b6b0b69020ed669d9d7e68ebd80868771e6

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments