2019-01-04 - MALSPAM PUSHES NANOCORE RAT

ASSOCIATED FILES:

 


Shown above:  Flow chart for today's Nanocore RAT malspam infection.

 

HEADERS FROM A MALSPAM EXAMPLE


Shown above:  Screenshot from the malspam.

 

Received: from 99RDP (ip247.ip-51-75-154.eu [51.75.154.247])
        by
[removed] for [removed]; Fri,  4 Jan 2019 07:57:37 +0100 (CET)
Received: from gmobile.co.tz ([127.0.0.1]) by 99RDP with Microsoft SMTPSVC(8.5.9600.16384);
        Thu, 3 Jan 2019 19:10:10 -0800
From: "EMKHUNT VENTURES"<admin@gmobile.co.tz>
To:
[removed]
Subject: contract proposal
Date: 03 Jan 2019 19:10:10 -0800
Message-ID: <20190103191010.2632B6E3489128ED@gmobile.co.tz>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0012_D25BDCB7.9E399149"
X-OriginalArrivalTime: 04 Jan 2019 03:10:10.0644 (UTC) FILETIME=[00C19940:01D4A3DB]

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Following one of the TCP streams for encoded Nanocore RAT traffic.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

FILE HASHES

MALWARE FROM AN INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Window registry updates caused by the infection.

 


Shown above:  Copy of Nanocore RAT in the Windows Menu Startup folder.

 


Shown above:  Other files and directories created by the infection.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.