MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeb8c3abc5285adfd129d20f321f2502d1125f0a0131644fe82c931cc2a5183b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 6

Intelligence 6 IOCs YARA 5 File information Comments

SHA256 hash:	eeb8c3abc5285adfd129d20f321f2502d1125f0a0131644fe82c931cc2a5183b
SHA3-384 hash:	3a648e71d0073969171776cd13f551b22a876f31d8fa35e98ffff26c2691b85e3dcd555d783b38ffaa3b84a7a8133071
SHA1 hash:	14a46985fccf6beeab446a24313a545e83413f4d
MD5 hash:	a95d2f1d08441c3fb0cba884f8daaa39
humanhash:	green-dakota-mississippi-avocado
File name:	ZFE8zFEDRpbfhKx.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	371'712 bytes
First seen:	2020-06-15 13:03:00 UTC
Last seen:	2020-06-16 09:35:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	6144:7lO8r14QBNsUFu2fqPQnrtuVK80wOYX5WZkeXB9VUxV9xtnkniD4gY5OFc7EW:7lXBNsV2yPQnpaRO+efQrtnYYzFc7N
Threatray	1'299 similar samples on MalwareBazaar
TLSH	6784F1097BDD9B10E1FA9F7899F1184443B4796B2A22E34F8EC530AE1A73BD49541F23
Reporter	abuse_ch
Tags:	exe geo Halkbank NanoCore RAT TUR

abuse_ch

Malspam distributing NanoCore:

HELO: halkbank.com.tr
Sending IP: 37.49.230.92
From: HALKBANK.E-EKSTRE@halkbank.com.tr
Subject: T.HALK BANKASI A.S. 15.06.2020 Hesap Ekstresi
Attachment: Halkbank.iso (contains "ZFE8zFEDRpbfhKx.exe")

NanoCore RAT C2:
osharay.ddns.net:49291 (37.49.230.92)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/10426/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Sonbokli.Acl.11575.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-06-15 13:04:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=524mhk6ffbnn7ujj2ihtehzfalirexykaeywit7ifsjrzqvfda5q._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

70e32f51fdd7cbade222e6e7acc86c8982eba7b1e591449dcaf2566946104d11

NanoCore

77aed51893a8a5e2ab24824dddad42c99cfb46baba36dbe90c72cd8ff6723b7f

NanoCore

8e5c41390f995c72ea749d6f141ec790ab5a61e843355592c2956ee01d8bb005

NanoCore

9570bbdb530065408a2c3d51801fcbb4bd0e5de8ce10b71096dcc8eac4571988

NanoCore

a388721677699e1816b5a7812b0c7bfa301cbe1539aae18fad07c98f85e16168

NanoCore

ccd5df3e21e1543a8cb3f92b37276be48adec9859f12096faaca589a39a0f99b

NanoCore

e4a764560fc747261834c1568d5280725a64036f720ad42ce847353cb4841331

NanoCore

f680bde2f9df0bf77497f36b16e0b1a8b08c847b4e9be02f9842e7d457169437

NanoCore

ffd474ba42b484a0c7eb8688e37334d55e65c49dcb88dcf3bc542276cd7d5348

NanoCore

+ 1'289 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-6rxkrx5hwn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

rezer0

NanoCore

Malware Config

C2 Extraction:

osharay.ddns.net:49291
127.0.0.1:49291

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/