MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4e3c7871e231318fb43fbdacc011d98d5f671d045facafcd205dd9bf7250f94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4e3c7871e231318fb43fbdacc011d98d5f671d045facafcd205dd9bf7250f94
SHA3-384 hash: f24a6897ba3ae8754711ca9f28754327a9bc8cdcba0ec2870ee22c8f245e7bfb7f0135f29856bb670293a9c1de06790e
SHA1 hash: 6916188439070401fe6126c117445811f30ee6e8
MD5 hash: 81f0c86576708e5bbd32987de541d36c
humanhash: fruit-speaker-asparagus-table
File name:DHL SHIPMENT NOTIFICATION_Xls.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:518'656 bytes
First seen:2020-05-05 08:58:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:/AC6o+56pLMsZFAL0mYnCdR9iLMtxgCzlvNsocoiwC9TVJ0cHFCi8w+LVmi54OiD:YCI61RKLaCdEMtxgalldX1
Threatray 1'188 similar samples on MalwareBazaar
TLSH D9B45CDCB66072EFC857D472DEA81C68EA5038BB931B4213A42315EDDA4D897CF644F2
Reporter abuse_ch
Tags:DHL exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: j0j40j2k.ni.net.tr
Sending IP: 185.95.86.158
From: DHL EXPRESS <NoReply.ODD@dhl.com>
Subject: YOUR DHL SHIPMENT NOTIFICATION/UPDATE PARCEL NO:DL7593462
Attachment: DHL SHIPMENT NOTIFICATION_Xls.gz (contains "DHL SHIPMENT NOTIFICATION_Xls.exe")

NanoCore RAT C2:
194.5.98.8:4573

Hosted on nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.98.0 - 194.5.98.255
netname: Privacy_Online
descr: Longyearbyen, Svalbard und Jan Mayen
country: SJ
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-04-26T16:42:54Z
last-modified: 2020-03-13T23:11:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Nanocore
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 05:10:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytr4pby6emjrr62d7pnmyai5tdk7m4oqix5mv7gsaxozx5zfb6ka._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
dridex
Create hunting rule
Similar samples:
09b6cbc23d3570aa16eb80e836e9a006e9e5f45d6d944e92d00421ab87962b76
NanoCore
5349936f32f9d998a6b60cb20c1f8de9eca1f709d362877e2fe32d1a655310d2
NanoCore
646eec86f996bb1b107e2df7f0f5e37583a92c3057ec6dee0711395a6078e4d1
NanoCore
6d3e117d1b6ac83e892b7e047f4b52ae55248d7298d58f3105e4048607dbf4fe
NanoCore
86fc159edf7d8f3e2606c3e92d9d0966cccf902650a24e21693f40f9abeb60f8
NanoCore
97f67123bf9b506479f14240bb2045a9e5e12062039ad4a60c065232b293ea0c
NanoCore
d4d035a66f0558130f340ab8de3375333d74dba6fec5541c25cc56da77e13042
NanoCore
d7177ba6f1308173baf4b7d1bdbf0631b6491a66a72f7bfc30f9e129063499ae
NanoCore
de931e02ce90c509d5dcf1c3d53352809a909410c00796bdfa9f10514a37a627
NanoCore
f9a2b0dd0cc7eb92351ab8a3c06a332da0db081c949b01a54be6bec49768bcc6
NanoCore
+ 1'178 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-vma2m7rhas/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NanoCore
Malware Config
C2 Extraction:
194.5.98.8:4573
127.0.0.1:4573
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

gz 6dc3e837477a6cadb9ba1d44b1ca3f551f8313009b5eca44f4627082ead65615

NanoCore

Executable exe c4e3c7871e231318fb43fbdacc011d98d5f671d045facafcd205dd9bf7250f94

(this sample)

  
Dropped by
MD5 d108360d698a0f92891d9e0726a7b59e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6dc3e837477a6cadb9ba1d44b1ca3f551f8313009b5eca44f4627082ead65615

Comments