MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6701c818eb13ccbaf22740946613f1e446522197f4b438cb700fb541d36f0d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA 5 File information Comments

SHA256 hash:	d6701c818eb13ccbaf22740946613f1e446522197f4b438cb700fb541d36f0d6
SHA3-384 hash:	d4c087e308856627ca537296bd09c5b7700d898a8085f3a61e1cfb4b51f6774abc8ac8844bfaaa15226b9cf9161fa1f7
SHA1 hash:	0da4d9f490dea171d810aa06d415f41299594283
MD5 hash:	aa73e99d7e1d62265f75ccc0443a1a7f
humanhash:	whiskey-winner-triple-beryllium
File name:	SHIPMENT DELAY LETTER.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	455'168 bytes
First seen:	2020-04-23 14:00:18 UTC
Last seen:	2020-04-23 15:09:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:zXC4xlmJSiyju3VrR+k6fsqEvqIq6pXYXltELyl20twaphjtXK378r:G4TFLu3VrR+k6fsqESu+Dsz0tTVm78
Threatray	1'220 similar samples on MalwareBazaar
TLSH	17A4AE3829EE902EF17BAF7D95E42595DBBDF6323603F60D1192038A0A23781DD6153E
Reporter	James_inthe_box
Tags:	exe NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.41762.23286.26955.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-23 09:32:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2zybzamowe6mxlzcoqeumyj7dzcgkiqzp5fuhdfxad5vihjw6dla._file

Verdict:

malicious

Label(s):

nanocorerat

dridex

NanoCore

305eb08e59ef7e93a40e6eb8edf0c4a336ff54bfc07cac69d1744c949f53757e

NanoCore

527ca131153a2edba28393f94ecf578531449b3c2f186648ed40ba5a2a2ad643

NanoCore

555618abdf6f7692936fc630a84a2d4e7bb5f7db4877975b5e98f77b939b2235

NanoCore

b269ac01ba383c1e9a7311cdb2af843167b3a5652d8b0791f7d61ce636a439c3

NanoCore

b4aa35cb89fb4ee9c316d487f9b2964b6dd38144160e61a4141dbe28d44196b1

NanoCore

be1a45ae85bb530727a5e96d3dc19eeb0542991ddb5a747b93665b4599c70ea0

NanoCore

d28c4fc79cac0d44f25cd239bf3efbcb8185b25850ba4aafecfdd988af23bbc0

NanoCore

ec37bc08604e4d2b0e5f7f38efa6af4916527ff34ba36cdc42ad3fbeb22b9191

NanoCore

f036e2aa7615446d2cb3ab689b13aac4055bf2cb8b19b0999db08d7052a80bf1

NanoCore

+ 1'210 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample