MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c043fb2d5fbffc0095d4b7c17cae0213d1cb4e6b4dd1a0cc2c24b9a2cee19fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	9c043fb2d5fbffc0095d4b7c17cae0213d1cb4e6b4dd1a0cc2c24b9a2cee19fa
SHA3-384 hash:	5e2d5c040c1cb29142411c2d280037470add027bf8950fbf6f5b2046342c66ce08120488bdc4f6be4afc82f47d72575b
SHA1 hash:	5402777edfb5401be7f71a04dc24bbe6d08e13e2
MD5 hash:	9280d9ceb06e998c20544847e6967bbb
humanhash:	alpha-magazine-aspen-virginia
File name:	RFQ CON74901220200427 #003782083762973 ,xlsx.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	812'544 bytes
First seen:	2020-04-27 11:12:45 UTC
Last seen:	2020-04-27 23:57:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:PH5mlYGmHp5GTeBgcF5ZljGWvfAkkQfNQ58/YzQpBl2:PH5mlYlJMUFvxvfwfa/YzQT
Threatray	1'079 similar samples on MalwareBazaar
TLSH	69057C1207B44A61FBAFB6F8DC285E16D2B0DAEF9985FB4D074835F62456360D833923
Reporter	cocaman
Tags:	exe NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VQD.8321.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-27 12:39:53 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tqcd7mwv7p74ack5jn6bpsxaee6rznhgwtorudgcyjfzulhodh5a._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

06d720fb36d32c1b3ce7fea9bb50eb90c2e1d90b270c1f21658c1035344a4c4b

NanoCore

15e832cfe4bca263c941f26d1da9bfdac36340a2ee29ad62cd0c7cb5037b0b6d

NanoCore

266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34

NanoCore

34f1b02bdccebe61deb518957acd32c9a64ce358102db3be15ed7d46f9945004

NanoCore

3f423a4bed38af85be2527d22db419c4796f4483ba87f9560dc12aa932c66209

NanoCore

49734ef67be2f2a71545820ed6258683d03a9aa3a97db586aea7d148090b4fa4

NanoCore

7ca87455dd2039c423ae801536485e5837fb89ac22f363c498f873d030fb6768

NanoCore

a37f501c2d65d191828fe20bf148436de23201f6fe852d59dfa67aaa5fc206e8

NanoCore

aa699d6811b7b84893adc0734f2d1b044903ffd15d68ccde38002f34057c35fe

NanoCore

+ 1'069 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar b41769500fd86e9973e3aecd59e11e58d2890543e529d6d818fcc9a850e87d07

NanoCore

exe 9c043fb2d5fbffc0095d4b7c17cae0213d1cb4e6b4dd1a0cc2c24b9a2cee19fa

(this sample)

Delivery method

Other

Dropped by

SHA256 b41769500fd86e9973e3aecd59e11e58d2890543e529d6d818fcc9a850e87d07

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample