MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0d1174033e97f8357e24a3c08daee72328599e260d622979d5e9d4787b29707. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0d1174033e97f8357e24a3c08daee72328599e260d622979d5e9d4787b29707
SHA3-384 hash: f151fc742d3b349a657213af29690b4d23d9dbb9ed8a21ba8a0b97028f2232268a88385a97dd96621703accac511ff13
SHA1 hash: a9dd75a506a7050c1882fcff61108a973bd1d0fc
MD5 hash: b62b5cb4480ff462342ee24c1e7e2003
humanhash: ack-mississippi-south-romeo
File name:Dacom_Int_Limited - product list & spec#664783y.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:649'216 bytes
First seen:2020-06-03 09:07:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ecQHgHwcIHC0inrQdYpyqwYellweSFfsDOcizwoz+axwE4vQHIIo:ppu9llweSmOlLIIo
Threatray 1'164 similar samples on MalwareBazaar
TLSH 01D4CE487475E523C04CAAB82C52C23457B6AC227B70D59E9DC57DEB73F67E329022A3
Reporter jarumlus
Tags:NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 13:21:43 UTC
AV detection:
15 of 31 (48.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=udiroqbt5f7ygv7cji6arwxooizilgpcmdlcff45l2oupb5ss4dq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
123b0a7526aa6da19d3f2592a46c209be9b89dd5bc2690bcf84ba958247a1589
NanoCore
1f2e6460618c77225b5eb25fed0ffb8e2b42b2c0180ae59fee03afe7f8f906ed
NanoCore
289c596406900aae22ba6b3d5a9d5465e38faebb46698f89def637389f675ae6
NanoCore
2fd9f9784c8b9678b08dcb94886985fa7835d0135ea12689082e0bf604c19bbb
NanoCore
3349e45fdf7c4d828820a47671d70046b51ae806de9987c371edc17e9148eb42
NanoCore
49436ca7e26c3ebe4aea260665e95d80bb9b9b9829a931d647a9abdb0e5e3a1c
NanoCore
6fac11ccc1a67ab04cb4e7477687006e8704c21f5019c9f562be7c8544d90c04
NanoCore
81ce98988c6bc711bb7e96cb59366594d75a19766339cd87b77a0192f0639809
NanoCore
c13ebcd5694fe6c489f6c829828bf20c4cc3008da2c75fe2cf39fda68d1024a6
NanoCore
e3f7e46443905093f45dc19c371eecc0fb10d3d8c81941f1f75a274cabdab033
NanoCore
+ 1'154 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-3rrqdq22bn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
:4110
172.81.129.208:4110
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z 822dbb0d6cf5b97cb5417a86bd7e6426625c5e326459c710bc8b9c888ed70cee

NanoCore

Executable exe a0d1174033e97f8357e24a3c08daee72328599e260d622979d5e9d4787b29707

(this sample)

  
Dropped by
MD5 3ad07f7626490e7ea7ae60bf6ce1fa59
  
Dropped by
SHA256 822dbb0d6cf5b97cb5417a86bd7e6426625c5e326459c710bc8b9c888ed70cee
  
Delivery method
Distributed via e-mail attachment

Comments