MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4d803a83e2c4c348972b6b8e5fce93416b0c60977a447818f592795505fdff1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4d803a83e2c4c348972b6b8e5fce93416b0c60977a447818f592795505fdff1
SHA3-384 hash: 465bf765680f251e3ef9084b7df4aacf02ebd30dc7943f3bb5910df2dc4b006767a9f7d5793e4854972168303f18bb02
SHA1 hash: 9b71d53a22b99a228b30367457303fa26a122b3d
MD5 hash: 39d0d40e446b827da5a4d109068182f1
humanhash: sodium-delaware-london-finch
File name:DHL貨物配送 8897209547,pdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:684'032 bytes
First seen:2020-05-25 08:36:53 UTC
Last seen:2020-05-25 10:16:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 94127ecd07060b70a59da9daa8009625 (3 x Loki, 3 x NanoCore, 3 x AgentTesla)
ssdeep 12288:t2Zq148Ejvc94vSStfq6e0837XjpKnPH5NhlacbzXw4hnVO:gcgUVWFB84nPHHhlBbrwgA
Threatray 2'786 similar samples on MalwareBazaar
TLSH C4E4AE32E2E07832C162163D9F4B967CD926BD11393859B62BE4DF4C6F2938174E7287
Reporter abuse_ch
Tags:DHL exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: vps.inebenthe.com
Sending IP: 45.95.169.158
From: DHL Express Cargo <delivery@dhl.com>
Subject: DHL貨物配送
Attachment: DHL貨物配送 8897209547,pdf.iso (contains "DHL貨物配送 8897209547,pdf.exe")

NanoCore RAT C2:
mmiri1.ddns.net:2012 (79.134.225.75)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 00:53:43 UTC
File Type:
PE (Exe)
Extracted files:
294
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
2a51dc72b480d943f292ef6137a3d864ac85fec1d59632c52d12636b7285bee9
NanoCore
366bac9db38e89bd47b0128bdf62a4f986d1d27449c12920744e157b819751f1
NanoCore
3874eba497e0b61949d0772430ce1df420e28777dba850a6033295212e9de9c5
NanoCore
5fb13ec9aec5b17f482da9aa1b4843d58721d0c99090e9f6cb3a88940666cc61
NanoCore
6e417fffcd28aea1071fa5c5b240b2f2e655efd6a153040c3fb64876736dcaa5
NanoCore
a498ac74ffd2f4ceccc802b5a42f33e067a7eb6f0b2125c3cf3668dd5c0c7833
NanoCore
cc829675a0e11138d47b42b5c19e45403d7d73731aac0c97ca8b2a0e37a960f8
NanoCore
de5da27d55060988faa9fb717e8b32e374bca6d86f7eb758c3b1aa062c5aa90b
NanoCore
eddb02f1d6ecdcfb30630930e91c51d05d71e18b348c4e3ef2f6a84d2895ba6d
NanoCore
f304855a11aedd539b9bdb686b1d5781e0d7080560f9520c6bda8586947b3285
NanoCore
+ 2'776 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-tx2b63hy4a/
Behaviour
Creates scheduled task(s)
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Executes dropped EXE
UPX packed file
NanoCore
Malware Config
C2 Extraction:
mmiri1.ddns.net:2012
185.140.53.137:2012
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso cc88e6e4b3938e7cf97c24197dd8d24e37dd598bb18bfebedd4f7f9fec81173c

NanoCore

Executable exe d4d803a83e2c4c348972b6b8e5fce93416b0c60977a447818f592795505fdff1

(this sample)

  
Dropped by
MD5 198174474f3daef1dd19470a44cfdcf1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 cc88e6e4b3938e7cf97c24197dd8d24e37dd598bb18bfebedd4f7f9fec81173c

Comments