MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8166e1205c9dd0761f42f47c8d3e3c944b72b1fd3713a0383040f263987a649. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8166e1205c9dd0761f42f47c8d3e3c944b72b1fd3713a0383040f263987a649
SHA3-384 hash: 39f56426f26a54c3f03e868ced51fec8de99c1da2e1e8ccf5401dd3f5eab6ccd73de82273e4baaa2d727e53e440f0bf9
SHA1 hash: 5a3c1d237ea4ce0b9600b2a364a92dcf93733e1c
MD5 hash: 9000eabbb3b94cf32249a39895562c42
humanhash: mars-social-helium-zulu
File name:Price Request.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'446'400 bytes
First seen:2020-05-23 07:23:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:6tb20pkaCqT5TBWgNQ7aLwqclBYeilKvhEZG+uJdJC5sNmfK6A:nVg5tQ7aL0lB0UvhMp6Nmy5
Threatray 1'958 similar samples on MalwareBazaar
TLSH 5565D01363DD8360C7B26273BA66B7516EBF782506B1F96B2FD4093DE820121521EB73
Reporter abuse_ch
Tags:exe NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: zimbra.fcjcorp.com
Sending IP: 54.158.42.8
From: Richard Carlos <pedro.henrique@medbeta.com.br>
Reply-To: rickshopamericanrental.com@gmail.com
Subject: Price Request
Attachment: Price Request.img (contains "Price Request.exe")

NanoCore RAT C2:
u852121.nvpn.so:3410 (91.192.100.17)

Pointing to nVpn:

% Information related to '91.192.100.1 - 91.192.100.63'

% Abuse contact for '91.192.100.1 - 91.192.100.63' is 'abuse@libertas-international.eu'

inetnum: 91.192.100.1 - 91.192.100.63
netname: LIBERTAS_NETWORK
remarks: ----------------------------------------------
remarks: Libertas Network is a VPN service provider.
remarks: We have a strict non-logging policy, therefore
remarks: we don't record any logs on our servers.
remarks: ----------------------------------------------
country: CH
admin-c: LNAD1-RIPE
org: ORG-LNVS1-RIPE
tech-c: LNAD1-RIPE
status: ASSIGNED PA
mnt-by: MNT-DA327
created: 2019-12-12T08:51:11Z
last-modified: 2020-02-10T07:01:46Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Nanobot
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 16:24:50 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
02b10c6690bd0ed3e9b675553519df78a7ede63a398d68304043eacb691fd305
NanoCore
05bc00d35dec87d6be4ff6eb04ab1c5c6b3fd006e67429ef35b4eb02b48c489c
NanoCore
1038e9a84ab134e86481b12ac645c59e68dd2b182aa201fed07397071e5d057a
NanoCore
2f69bbdb312d1e2421db8c0d82828693ddd494216c6549a0884bc2c188eaf167
NanoCore
522eeb43150a93e0dd1308403baf27e10ca4042330e6405e87913683f3f6a67a
NanoCore
6c775aa70b8dadbb9725cab1c2de67c64eac6c019537d2540eb37d6b2fb7af4c
NanoCore
71b9cfc637c0d49cc0375574e6254b09545d4ebc584b734aa8e35cf04b991332
NanoCore
b0896cbac640a28e5f9f597d546534fb06175652f6c8d4232b65b22a1743be51
NanoCore
c88f2cd1de8f581a1038ef31f8aa401202e34906e8232bc62604b3af4afc2da5
NanoCore
dc28fee9ff485f98bb7a9369a6e24ad8f1a63c123cc9c39ee676d933e1999fc6
NanoCore
+ 1'948 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-xdk5medtx6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
NanoCore
Malware Config
C2 Extraction:
u852121.nvpn.so:3410
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img 84cf4a54c73f11a9de1fc86441749a14b40f18d5e566aed30e027c0ba5bf0ae8

NanoCore

Executable exe f8166e1205c9dd0761f42f47c8d3e3c944b72b1fd3713a0383040f263987a649

(this sample)

  
Dropped by
MD5 00b2275e8712759e211a0c4b041bebd7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 84cf4a54c73f11a9de1fc86441749a14b40f18d5e566aed30e027c0ba5bf0ae8

Comments