MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4b8370a2f9b30c900f56ba9b2a405f5d4febde0515c52647af81b79eaf7febf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	c4b8370a2f9b30c900f56ba9b2a405f5d4febde0515c52647af81b79eaf7febf
SHA3-384 hash:	93bc9300ce86d3b083f85272935a61910962609f5f62945a5dce0ef9e3e9025ab0a18a6e4c6ea492e027d60adc39ba73
SHA1 hash:	b89aa44dc3c7310b0749a15fac4f3926f6a820b8
MD5 hash:	6d4d962e40d13588f93e90d3ff906df3
humanhash:	aspen-speaker-four-romeo
File name:	Invo.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	280'064 bytes
First seen:	2020-04-17 08:37:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:T2BHrTEAlqvaNJE7voA2d4qXDgvKBJFArF2YhnnTMyF:SdjcaNC7v72SqXUvKB8rbtM
Threatray	1'148 similar samples on MalwareBazaar
TLSH	A754D125978C2A2FC9AD2234C0893319E779D1A3A583FB1F514CC0FDDE72BC5958639A
Reporter	abuse_ch
Tags:	COVID-19 exe NanoCore RAT

abuse_ch

COVID-19 themed malspam distributing NanoCore RAT:

HELO: vm593.rz.uni-osnabrueck.de
Sending IP: 131.173.17.199
From: "CDC Team" <cdc-covid19@uni-osnabrueck.de>
Subject: Coronavirus update (COVID-19) <victim-email> your neighbors tested positive!
Attachment: CoronaVirus.xlsm

NanoCore RAT payload URL:
http://gbud.webd.pl/cli/Invo.exe

NanoCore RAT C2:
549177.duckdns.org:54917 (137.74.80.220)

Resolves to OVH IP space

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.66565.15788.1122.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Nanobot

Status:

Malicious

First seen:

2020-04-17 00:40:51 UTC

File Type:

PE (.Net Exe)

AV detection:

27 of 31 (87.10%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ys4docrptmymsahvnou3fjaf6xkp5ppakfofezd27anxt2xx727q._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

36ac5bec6993086917f960048af37ef846dcfe5042aeb7c0bf519ae060d0ea90

NanoCore

65603c7a88beb93205d2012ca8d63dba310fc0f7f91fc81300734ee3b2eb3f10

NanoCore

6a0aa40f52223a55b0a01d1e3070087f8c408ba9d07159cc072092420c0b7a3a

NanoCore

819b7cdae5437e09dddc2263080df829d2e8ba725f4364bfddf0cd10eb848692

NanoCore

a032cd20c067b83f1cab391af7671f7ae669de96dbf995f08580b14d218aeccc

NanoCore

d0a9cde7ebed2daf4306e0e76a341e6c4293bf9904ed464f5bfcb462dc0999d0

NanoCore

d8021d01301e057b4f51017952545673b0892e07d5546745fc1159d740716fbf

NanoCore

e33ef485c574d639eae34cd252d97aa78c17718190c98a92f7b6dc5a5fc0cd69

NanoCore

f86a114e73dd0f15bc888e3db1477aa4c92d333bb236c4d3d1f49e72858bb80d

NanoCore

+ 1'138 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

xlsm 1b0329aa6aad2d2b0a9fc983fad925441fdaf8c5d53c1e878a98e3f0b5466984

NanoCore

exe c4b8370a2f9b30c900f56ba9b2a405f5d4febde0515c52647af81b79eaf7febf

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/341695/

Dropped by

MD5 d4177645156c5f3949a32d9c88d32f3e

Dropped by

SHA256 1b0329aa6aad2d2b0a9fc983fad925441fdaf8c5d53c1e878a98e3f0b5466984

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample