MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dca09e669f01dcc5efa9ab9120ce3febd53868b3ba12a6e0b4574b82b3d0e392. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dca09e669f01dcc5efa9ab9120ce3febd53868b3ba12a6e0b4574b82b3d0e392
SHA3-384 hash: e9e3dbff2510700708c18d5ae24a8cf8019a8b7f8f0721b1a656e75d0197f0272654f562d80085adfc74dff09febaae2
SHA1 hash: d17aabdf43d9bea4c10cf31ce16c0d7592579c64
MD5 hash: 9c97db9b4c7abc229cd0ecde2d4835c0
humanhash: alaska-fish-table-east
File name:Documents AWB 5-5-2020.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:638'976 bytes
First seen:2020-05-06 08:25:26 UTC
Last seen:2020-05-06 09:09:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:ZvRL69dQVzlamO31UajLxtCGwXOfaiLV017Xs:PI8z4jsGcOfhLV+7Xs
Threatray 1'351 similar samples on MalwareBazaar
TLSH 40D48D07F2489A5EDC5A5777903AC92416A3AE17B632E71E055A7473ABF33C22013F1B
Reporter abuse_ch
Tags:exe Maersk NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: maratheb2.interactivedns.com
Sending IP: 146.88.26.46
From: Maersk Line <verification@maersk.com>
Subject: AWB Documents /Factura Infomacion
Attachment: Documents AWB 5-5-2020.PDF.z (contains "Documents AWB 5-5-2020.exe")

NanoCore RAT C2:
atallatall.ddns.net:5355 (173.209.43.61)

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2900/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.10309.30178.23456.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 01:12:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3sqj4zu7ahoml35jvoisbtr75pktq2ftxijknyfuk5fyfm6q4oja._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
08c1ed3585826baa8e470be4c446478a895317380573ef787e53afdc264569e3
NanoCore
38701fe4b63d1436ba2e26cc7e268327299b58bcccbf074bfb2cbbcf57ceb2ea
NanoCore
6a0aa40f52223a55b0a01d1e3070087f8c408ba9d07159cc072092420c0b7a3a
NanoCore
7528449cf7a3a8d1b8d56a5207cbcff5c2afe95aa6f4258acfa858a28bd370f5
NanoCore
a6b6bafbfe0f877c68f0429898e7dbc9c5307d5d2b58cce6522f9c251958ed05
NanoCore
b78996718e94fe9cf9cc228f474b774fd7bd54133762d183ba2e6c141b3a218a
NanoCore
c068b1a7379f95ee883cd4ed9639bb2b28c380934f3bc0e0c7be97ad808c7b8a
NanoCore
c21ee6cfa09a79362a7f3b03781a7f252d10b41da48dea433e06fe4a0df26eee
NanoCore
d1890599ae15f13b1fc26efd5221a7a20949db644edc28aa3480c0042dc0a6fc
NanoCore
dc28fee9ff485f98bb7a9369a6e24ad8f1a63c123cc9c39ee676d933e1999fc6
NanoCore
+ 1'341 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-y8dvtb4xl6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
NanoCore
Malware Config
C2 Extraction:
atallatall.ddns.net:5355
127.0.0.1:5355
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 0d79536202660c5f64dac143d481aa91374cd2281c593bd2e4573d90df1f9369

NanoCore

Executable exe dca09e669f01dcc5efa9ab9120ce3febd53868b3ba12a6e0b4574b82b3d0e392

(this sample)

  
Dropped by
MD5 e1f9fad8b52daa102fc3c4c797048f6f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0d79536202660c5f64dac143d481aa91374cd2281c593bd2e4573d90df1f9369
Cape
Cape
https://www.capesandbox.com/analysis/2900/
Cape
Cape
https://www.capesandbox.com/analysis/2899/

Comments