MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb70c14b7aa724c2d1cf6881f0a864897d953c367ddbc002594da76941ac376a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb70c14b7aa724c2d1cf6881f0a864897d953c367ddbc002594da76941ac376a
SHA3-384 hash: cfe7710ab6a79b270003bfb587f5f067901620c7096bd86c8b37053663ab31d31256082e3813f99ceac043ea196b090e
SHA1 hash: 411a2b06484c87a4933a6d71f23f2f80ed28ca65
MD5 hash: 3fda76bc627ca60ec8d9aee9d1a16b17
humanhash: artist-fanta-massachusetts-jig
File name:PDF.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:349'184 bytes
First seen:2020-05-10 08:33:50 UTC
Last seen:2020-05-10 09:44:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:D7e6zuwg+fmOXEB+5uSlt+yRiwmh4rSS9JOPB8AWo/YQ4zpxyRGGSlBnOKu8:pgqEB9Slt+yRij4rS+LA/72PGSllOKu
Threatray 1'172 similar samples on MalwareBazaar
TLSH 9C74DF2537AD1374F2769FB019F0E461C7BAB61278B4E36D0E91018A4AE6F40CA51F3B
Reporter abuse_ch
Tags:exe geo NanoCore RAT SAU


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: sp3f.cpserver.net
Sending IP: 79.172.239.35
From: شرطة الرياض <invitation@moi.gov.sa>
Subject: إشعار نهائي من شرطة الرياض قبل القبض عليك
Attachment: PDF.iso (contains "PDF.exe")

NanoCore RAT C2:
172.111.188.199:8829

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.45342.15418.1312.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-10 08:35:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=znymcs32u4smfuopnca7bkderf6zkpbwpxn4aaszjwtwsqnmg5va._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
080a6fbf91637b683b6f363092f9b7d6e75b8442c6f9df32ffea0788e16fafdf
NanoCore
2313dde5b84de43d82c693ccd65fdc2efd1321cc0ea3d8c901094805935eb0f1
NanoCore
266fb950b47e675141744de2c8e756706d50eeab5092d2dda233cb2ed0c2fb9c
NanoCore
2c4f41d645657a8be7da399765e00d1d7e170fc6d7114e14fff1c8d717fbca16
NanoCore
37dbfcfd7e663b2c10f51ef49205ad1a8c1c0003261d45e6ac196b0c8d30dd28
NanoCore
6afb227c640c59b8f64fc5a16adf0a25e946cf47198992bc44044976a8c3bcf3
NanoCore
793666eca93a68eaa6cbb34eac888c354c61cc5d92e5f8d99466020a430308b2
NanoCore
84087e77b6088ef6e3d9a61f088ea5c6b6cb9bf1c7d852df6a12e745ab112c11
NanoCore
c01f7d088bbf081d5505e9356a6e1635eed13c9e8f8baef38f7a47c471067da2
NanoCore
f4e44a53a69291a3e254cc11fcf4dbe244f407cff4d919526a2532c65654ad89
NanoCore
+ 1'162 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-zvm6wjvx9a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NanoCore
Malware Config
C2 Extraction:
172.111.188.199:8829
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso 6161195354a684b757071dbd6d59e147ad6a0bb350218cf2ef64978319c78462

NanoCore

Executable exe cb70c14b7aa724c2d1cf6881f0a864897d953c367ddbc002594da76941ac376a

(this sample)

  
Dropped by
MD5 1ca4574438cc2e229fdc019c9666e1ff
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6161195354a684b757071dbd6d59e147ad6a0bb350218cf2ef64978319c78462

Comments