2019-01-04 - MALSPAM PUSHES NANOCORE RAT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2019-01-04-Nanocore-RAT-malspam-0310-UTC.eml.zip   394 kB (393,905 bytes)
• 2019-01-04-Nanocore-RAT-infection-traffic.pcap.zip   401 kB (400,679 bytes)
• 2019-01-04-Nanocore-RAT-malware.zip   771 kB (770,561 bytes)

 

Shown above:  Flow chart for today's Nanocore RAT malspam infection.

 

HEADERS FROM A MALSPAM EXAMPLE

Shown above:  Screenshot from the malspam.

 

Received: from 99RDP (ip247.ip-51-75-154[.]eu [51.75.154[.]247])
        by [removed] for [removed]; Fri,  4 Jan 2019 07:57:37 +0100 (CET)
Received: from gmobile[.]co[.]tz ([127.0.0.1]) by 99RDP with Microsoft SMTPSVC(8.5.9600.16384);
        Thu, 3 Jan 2019 19:10:10 -0800
From: "EMKHUNT VENTURES"<admin@gmobile[.]co[.]tz>
To: [removed]
Subject: contract proposal
Date: 03 Jan 2019 19:10:10 -0800
Message-ID: <20190103191010.2632B6E3489128ED@gmobile[.]co[.]tz>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0012_D25BDCB7.9E399149"
X-OriginalArrivalTime: 04 Jan 2019 03:10:10.0644 (UTC) FILETIME=[00C19940:01D4A3DB]

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Following one of the TCP streams for encoded Nanocore RAT traffic.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 89.35.228[.]199 port 3365 - encoded callback traffic caused by Nanocore RAT malware

 

FILE HASHES

MALWARE FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  4848c64f08cf6b40414d06269b361829c9482e95fcfcf35f1511397624edb42e
  File size:  382,201 bytes
  File name:  New Proposal_2019.lzh
  File description:  RAR (not LZH) archive attached to the malspam

• SHA256 hash:  bf3cfdbf6d8208f3a3d6c8dd94038ef2bf841036a254e8ffc1d87acf65e10311
  File size:  496,640 bytes
  File name:  New Proposal_2019.exe
  File location:  C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
  File location:  C:\Users\[username]\AppData\Roaming\3B96BE12-0998-433D-AD05-968ECA250CF6\DDP Manager\ddpmgr.exe
  File description:  Nanocore RAT malware--a Windows executable extracted from the above RAR archive.

 

IMAGES

Shown above:  Window registry updates caused by the infection.

 

Shown above:  Copy of Nanocore RAT in the Windows Menu Startup folder.

 

Shown above:  Other files and directories created by the infection.

 

Click here to return to the main page.