MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b78996718e94fe9cf9cc228f474b774fd7bd54133762d183ba2e6c141b3a218a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b78996718e94fe9cf9cc228f474b774fd7bd54133762d183ba2e6c141b3a218a
SHA3-384 hash: cd14dc8be42056fcf28686944ce7f95dcff69cdb6c74b53986d1f9e8e8ac5d79098873d822d73c57596c608d07efafe8
SHA1 hash: 9076ec9ce2f62430fc6f4c10df7b3200ab9634ac
MD5 hash: d9b3d683f889376a26b30997bbf1353a
humanhash: october-paris-colorado-iowa
File name:POEA MEMORANDUM NO. 60- 2020.PDF.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'108'691 bytes
First seen:2020-06-03 09:33:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:bNA3R5drX9jdpXgQ9uAxaRzrx/Kmq21seYn8S9KRX:G59JpLcGOB/M2ie4851
Threatray 1'573 similar samples on MalwareBazaar
TLSH 0D351242F9C344B1D9331D36163A7E15A9BE75201F28DA3E73D0096AED71183A636BB3
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: gmmgroupasia.wsiph2.com
Sending IP: 173.230.147.68
From: POEA <info1@poea.gov.ph>
Subject: POEA MEMORANDUM NO. 60- 2020. GENTLE REMINDER!
Attachment: POEA MEMORANDUM NO. 60- 2020.lzh (contains "POEA MEMORANDUM NO. 60- 2020.PDF.exe")

NanoCore RAT C2:
aashkanani22.casacam.net:54985 (79.134.225.69)
aashkanani22.ddns.net:54985 (79.134.225.69)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Mbt
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 13:52:33 UTC
AV detection:
26 of 48 (54.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w6ezm4most7jz6omekhuos3xj7l32vatg5rnda52fzwbigz2egfa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
1ca9978db84d8cad7f6a8f838e106799352c386cfa3aee2bbefa195e7fabe166
NanoCore
3425b3af968c358eb243c6a14a34e3019b9fac1261a3ceab452392e606189205
NanoCore
38701fe4b63d1436ba2e26cc7e268327299b58bcccbf074bfb2cbbcf57ceb2ea
NanoCore
4c4881464fd7d95cfe2d60dfd7beff8dd9c3426c15c945500db1e8714374556c
NanoCore
4cc5f468994fd62cc832482404cfc7e45232f059b9d355d3df41535a170b3470
NanoCore
6066b9b33c7336497e3fe0b7b0eb04c8fa8d27accdaad763658cd29865b2236e
NanoCore
a259ab9f2ce1c874205cd31ac2f4ff924955caf2a81396b400dceb2438ff8921
NanoCore
ae9576df43dd4f5e8d48c6774e7bbbd1a6baaad219c4022dd49af9fdaec57d61
NanoCore
d71b477cd43b0b25d958391d04579451cdcc8ea6f3cb880459822a17361ebc62
NanoCore
f9e386914a47b738dcfe89fadf3021be00c2dfe8824d8326ea79fcd79d3673cc
NanoCore
+ 1'563 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-dbcxavby96/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
aashkanani22.casacam.net:54985
aashkanani22.ddns.net:54985
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 36bde0dc21b9410ddd0332861f52d7a9dd19b69f9d4489ba898318d2097a397c

NanoCore

Executable exe b78996718e94fe9cf9cc228f474b774fd7bd54133762d183ba2e6c141b3a218a

(this sample)

  
Dropped by
MD5 42d5f0c92eec0d054e7a1eaf39970032
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 36bde0dc21b9410ddd0332861f52d7a9dd19b69f9d4489ba898318d2097a397c

Comments