MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2dbd686e32057f85bd87cd34af193f3ebf6e6f99de996da2a8dcc533d9ad19f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	d2dbd686e32057f85bd87cd34af193f3ebf6e6f99de996da2a8dcc533d9ad19f
SHA3-384 hash:	e43e0f297c3dbd019fec78da2f9e2b89120b1ea03f6ea45c57edcdee92f28704d4fa957ddbe80c3b4d7fb0678ba4881a
SHA1 hash:	7a0eb01f9a8ca2e3a018f738d62be98e93834597
MD5 hash:	574dad44c655368c7aa44fec99429192
humanhash:	double-winter-edward-speaker
File name:	NEW_ENQU.EXE
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	557'568 bytes
First seen:	2020-04-28 05:58:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	6144:uRlSQzwvarKqs/WpwAkzscdDRrVihzwa6CDn+l1ze9lwp1kp/C73dNyk:uTSxarK1/Wnk4c9Ro6a6Eke9ls0Y/
Threatray	1'091 similar samples on MalwareBazaar
TLSH	50C41554BFF858E3C26A5CF50071103047B19F2669BBE2D5AC8271FA55F1BEB0A93A43
Reporter	cocaman
Tags:	exe NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Nymeria-7168557-0

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-28 04:25:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ln5nbxdebl7qw6yptjuv4mt6pv7nzxztxuznwrkrxgfgpm22gpq._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

08c1ed3585826baa8e470be4c446478a895317380573ef787e53afdc264569e3

NanoCore

7795d2106023220b5e106b1e05815e7818d66189c01d4bc927767008fccdc6d2

NanoCore

91966b77a6acc2fd64c773d8797a505c40ecd272ebb4b44a5757990b5e4939c5

NanoCore

9d44ded1da60c6d985cd16f0b98954f746f83f3d7d093f15f30a88eb14441e0a

NanoCore

b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4

NanoCore

c1e95a6f558510abc5490b3c48c42b49b999d45ad187691c84d9d06473a16e7a

NanoCore

d8ad1152e4f637d74f26843242b113b17d305d71a9b1c1aa6005ab599371cc8b

NanoCore

ea4115e347193aa868162072e3db30d9652650aa2915726aa83d91beb202b9bb

NanoCore

f6418cb1cf7a9024b0a8e7f736c45f0a7e8aaa5ecd2d41241f20a56ea05ccf07

NanoCore

+ 1'081 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img b5cfda16e7e48ff35a90bd7b052d3980ea01ac0074907bb7ae5fe9a5859590d6

NanoCore

exe d2dbd686e32057f85bd87cd34af193f3ebf6e6f99de996da2a8dcc533d9ad19f

(this sample)

Delivery method

Other

Dropped by

SHA256 b5cfda16e7e48ff35a90bd7b052d3980ea01ac0074907bb7ae5fe9a5859590d6

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_TRUST_INFO	Requires Elevated Execution (Unrestricted:true)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample