MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8166e1205c9dd0761f42f47c8d3e3c944b72b1fd3713a0383040f263987a649. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 1 File information 3 Yara 5 Comments

SHA256 hash: f8166e1205c9dd0761f42f47c8d3e3c944b72b1fd3713a0383040f263987a649
SHA1 hash: 5a3c1d237ea4ce0b9600b2a364a92dcf93733e1c
MD5 hash: 9000eabbb3b94cf32249a39895562c42
File name:Price Request.exe
Download: download sample
Signature NanoCore
File size:1'446'400 bytes
First seen:2020-05-23 07:23:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091
ssdeep 24576:6tb20pkaCqT5TBWgNQ7aLwqclBYeilKvhEZG+uJdJC5sNmfK6A:nVg5tQ7aL0lB0UvhMp6Nmy5
TLSH 5565D01363DD8360C7B26273BA66B7516EBF782506B1F96B2FD4093DE820121521EB73
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: zimbra.fcjcorp.com
Sending IP: 54.158.42.8
From: Richard Carlos <pedro.henrique@medbeta.com.br>
Reply-To: rickshopamericanrental.com@gmail.com
Subject: Price Request
Attachment: Price Request.img (contains "Price Request.exe")

NanoCore RAT C2:
u852121.nvpn.so:3410 (91.192.100.17)

Pointing to nVpn:

% Information related to '91.192.100.1 - 91.192.100.63'

% Abuse contact for '91.192.100.1 - 91.192.100.63' is 'abuse@libertas-international.eu'

inetnum: 91.192.100.1 - 91.192.100.63
netname: LIBERTAS_NETWORK
remarks: ----------------------------------------------
remarks: Libertas Network is a VPN service provider.
remarks: We have a strict non-logging policy, therefore
remarks: we don't record any logs on our servers.
remarks: ----------------------------------------------
country: CH
admin-c: LNAD1-RIPE
org: ORG-LNVS1-RIPE
tech-c: LNAD1-RIPE
status: ASSIGNED PA
mnt-by: MNT-DA327
created: 2019-12-12T08:51:11Z
last-modified: 2020-02-10T07:01:46Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 25
Origin country US US
ClamAV Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
VirusTotal:Virustotal results 22.54%

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe f8166e1205c9dd0761f42f47c8d3e3c944b72b1fd3713a0383040f263987a649

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments