MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c40967ded56321a744c0e32a8e18216a906e38d35262693a21e95a9683a47441. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 5 Comments

SHA256 hash: c40967ded56321a744c0e32a8e18216a906e38d35262693a21e95a9683a47441
SHA3-384 hash: a4bc6e17451133d7e024f72f896841f80f2f8a8b0a93600a46b8e317b7d665990d17c42f4c4de4107704a4c6c847aa08
SHA1 hash: 7bddab10e162528d243fa30007aa23a6bca38ab3
MD5 hash: 8ad3acc5de878eaab476ed18990abe73
humanhash: fillet-mockingbird-lamp-black
File name:PO#7645.exe
Download: download sample
Signature NanoCore
File size:714'752 bytes
First seen:2020-06-30 13:31:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f26e153c9b6068c0a4770547eb6d9e
ssdeep 12288:WCbpcLhilrm7G8oclWEAroCo3DQmTMazdtFq6MVNls8J85:5uLhi80Jro7Bdi6qlsQ85
TLSH 96E4AE22E7A0443FF172363D9D2B56BC9826BE51392C59472BE4DC4C6F39742393A287
Reporter @abuse_ch
Tags:exe NanoCore RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: server0.officereads.xyz
Sending IP: 23.254.225.57
From: PEMBE PROCUREMENT DEPT<procurement@pembe.co.ke>
Subject: QUOTATION
Attachment: PO7645.rar (contains "PO#7645.exe")

NanoCore RAT C2:
goat22.ddns.net:1989

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 33
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/17225/
ClamAV SecuriteInfo.com.Win32.Herz.B.23927.UNOFFICIAL
PUA.Win.Adware.Slugin-6803969-0
PUA.Win.Adware.Slugin-6840354-0
SecuriteInfo.com.Variant.Zusy.307895.13627.19246.UNOFFICIAL
CERT.PL MWDB Detection:nanocore
Link: https://mwdb.cert.pl/sample/c40967ded56321a744c0e32a8e18216a906e38d35262693a21e95a9683a47441/
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injector
First seen:2020-06-30 13:33:04 UTC
AV detection:27 of 48 (56.25%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:nanocore
Link: https://tria.ge/reports/200630-7sa58ksr3x/
Tags:keylogger trojan stealer spyware family:nanocore persistence evasion
Config extraction:goat22.ddns.net:1989
VirusTotal:Virustotal results 52.86%

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe c40967ded56321a744c0e32a8e18216a906e38d35262693a21e95a9683a47441

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments