MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af7f7be5f98ff1a7a274a5984abf806f2a8b6fd648f9d16501a0e5932e2b1480. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	af7f7be5f98ff1a7a274a5984abf806f2a8b6fd648f9d16501a0e5932e2b1480
SHA3-384 hash:	c792046d985c3b4c84297aaad97e92d5d2e28abee57b003764fec335c96bbbfe7b68c124cb584c9483d06927713f7f59
SHA1 hash:	ef5342dea13e4a6579adbf9b736d494a220df609
MD5 hash:	74f41eb28e54778839de2faa0252ac1e
humanhash:	jupiter-washington-butter-fish
File name:	Company_profile.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	616'448 bytes
First seen:	2020-04-30 10:49:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:GnAAHv7Tab/sP56gDevMKqNe3g2OucsQlgtWWgExMs40/GAKu1WZcqede5Kf:GXAsPWv7hw+sCv
Threatray	1'086 similar samples on MalwareBazaar
TLSH	2DD46C5C369070DFD527DA72DEA52C64EA21B877A30FC207A053229D8E6DA97DF101F2
Reporter	abuse_ch
Tags:	exe NanoCore nVpn RAT

abuse_ch

Malspam distributing NanoCore:

HELO: webmail.cyber.net.pk
Sending IP: 203.101.175.37
From: cpsupport@cyber.net.pk
Subject: Invitation To Bid (RFQ) For The Referenced Supply of your product
Attachment: order_details.img (contains "Company_profile.exe")

NanoCore RAT C2:
kmt-2.duckdns.org:6060 (185.165.153.222)

Pointing to nvpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.43471.25253.22197.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-30 11:23:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=v57xxzpzr7y2pituuwmevp4an4viw36wjd45czibudszglrlcsaa._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

18bdd68703502522d10d79980cb0aab03f01580afb4c229591615444f750998c

NanoCore

3465a87f7c026e390a862f5d4b638745f80fa24a5ef94998e2f5c1818dd0bc15

NanoCore

430596618928471c2bb2df11155686033c916418c1792875f329ae8156debfaa

NanoCore

5e54db4c77518b020952fc28a2397df18eaec44892ebfb56a28c1ec39aed1f87

NanoCore

7baab7242a77b5500c08da0c91f350b686a3fea284bc3e5cf0d2d558316e3538

NanoCore

b61341f38e33a3eeee6ef999b73067de9cd2d0cbfd97bdb426fdd0b06e5e07eb

NanoCore

b6512a533865ba3ca3a66e1eb66b8530fcf215e1f0d0372961f55b70fcf3ae3c

NanoCore

c068b1a7379f95ee883cd4ed9639bb2b28c380934f3bc0e0c7be97ad808c7b8a

NanoCore

dd02cb85d94d9d687d5de330f198abd8f1a84720947c03dfad880526830986f3

NanoCore

+ 1'076 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img b570184f4002303531755b58d3ad43281a84cedf643eb32b0f04bc9bdf4cf87d

NanoCore

exe af7f7be5f98ff1a7a274a5984abf806f2a8b6fd648f9d16501a0e5932e2b1480

(this sample)

Dropped by

MD5 4048bb45428a35d68c942013367dfa42

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 b570184f4002303531755b58d3ad43281a84cedf643eb32b0f04bc9bdf4cf87d

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample