MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c40967ded56321a744c0e32a8e18216a906e38d35262693a21e95a9683a47441. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c40967ded56321a744c0e32a8e18216a906e38d35262693a21e95a9683a47441
SHA3-384 hash: a4bc6e17451133d7e024f72f896841f80f2f8a8b0a93600a46b8e317b7d665990d17c42f4c4de4107704a4c6c847aa08
SHA1 hash: 7bddab10e162528d243fa30007aa23a6bca38ab3
MD5 hash: 8ad3acc5de878eaab476ed18990abe73
humanhash: fillet-mockingbird-lamp-black
File name:PO#7645.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:714'752 bytes
First seen:2020-06-30 13:31:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f26e153c9b6068c0a4770547eb6d9e (14 x Loki, 7 x AgentTesla, 2 x Formbook)
ssdeep 12288:WCbpcLhilrm7G8oclWEAroCo3DQmTMazdtFq6MVNls8J85:5uLhi80Jro7Bdi6qlsQ85
Threatray 1'099 similar samples on MalwareBazaar
TLSH 96E4AE22E7A0443FF172363D9D2B56BC9826BE51392C59472BE4DC4C6F39742393A287
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: server0.officereads.xyz
Sending IP: 23.254.225.57
From: PEMBE PROCUREMENT DEPT<procurement@pembe.co.ke>
Subject: QUOTATION
Attachment: PO7645.rar (contains "PO#7645.exe")

NanoCore RAT C2:
goat22.ddns.net:1989

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17225/
Detection(s):
SecuriteInfo.com.Win32.Herz.B.23927.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Variant.Zusy.307895.13627.19246.UNOFFICIAL
Create hunting rule

Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c40967ded56321a744c0e32a8e18216a906e38d35262693a21e95a9683a47441/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-30 13:33:04 UTC
AV detection:
27 of 48 (56.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yqewpxwvmmq2orga4mvi4gbbnkig4ogtkjrgsorb5fnjna5eoraq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
175bdb11453e65abc7c2d64a37b69d0bea771353c4eefbaa0d3ffb649292e2fc
NanoCore
1b06541ad523a8ab5fa42a7260a51e1b61b18b5c33528db6aa30b7a777231004
NanoCore
3e8fda53d335f929c539e5fbc47a79e166ecbfda4752c50544c429a199056c62
NanoCore
48f66677fec3c6d3734c439ed9b2fd29cb26a155e8ccb28f30c1b2b65a4878d8
NanoCore
72226e94b46283845dadd5cd465bdd84240bc2eab9728cddaed267401e78c23f
NanoCore
72fa36c434fc5353c1e9f45bf93a0102e4493b743508999b5aceea9857a7d987
NanoCore
7ec1de8610f3d1d4c6c08bb7edea979c10be260d9bdd02909e67cbdb1d44a5c3
NanoCore
aef79065bfa5ed29e5026b3b0f2b4398009e8f54e31c26719df095e3160c87f5
NanoCore
bdddf5f5fa10f55e58819ff4ae4cf11902c3583503fa8fcf50ce67b1f1f66e4f
NanoCore
d53439692180d901981bcff18c2d0db8b349a8f4118c5682943c5dd22678af94
NanoCore
+ 1'089 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore persistence evasion
Link:
https://tria.ge/reports/200630-7sa58ksr3x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Drops startup file
UPX packed file
NanoCore
Malware Config
C2 Extraction:
goat22.ddns.net:1989
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 71f74a77c245485035607d8dd9bce309ac17a1cb9d806e34f683c15ab82d44fc

NanoCore

Executable exe c40967ded56321a744c0e32a8e18216a906e38d35262693a21e95a9683a47441

(this sample)

  
Dropped by
MD5 9dff5a6c1336315b6dcaf05ebbcace4f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/17225/
  
Dropped by
SHA256 71f74a77c245485035607d8dd9bce309ac17a1cb9d806e34f683c15ab82d44fc

Comments