MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b9703840cea3c427f1abf8ec784be06107fe7db48e1921c427b8a8a4254bda5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b9703840cea3c427f1abf8ec784be06107fe7db48e1921c427b8a8a4254bda5
SHA3-384 hash: 31c5c9acd69044ee22dced019359cc8497e892d6c5c4338812d354e52a1db742c1b33cf93081716b5b78fa568eeae459
SHA1 hash: 0a0239f1c9230f4f2ccf1e0c090b27053cbe6b43
MD5 hash: 57ead8efa0e2eb25ca4607647a610899
humanhash: oklahoma-pip-lactose-earth
File name:msg_details_2207713999077713.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:395'776 bytes
First seen:2020-08-05 08:36:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:0ohyiap2EdTt4/qBfq3d0xDRFGRFvJQVTBZQ9F8JNR6+p+8xaSA+rUqb0MppMpp0:Ep3vBS3dOjuEZQ9eJa+p+8xaR+rUqBJ
Threatray 5'089 similar samples on MalwareBazaar
TLSH 8B84F10BF684A29ECCBE85F0D4E3D0DCC2635C775811BA5A38D6B35E0B3D1C1655A8AB
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: serve0.nz-bd.co
Sending IP: 104.168.190.28
From: "EXPORT3 [SS GROUP]" <info@nz-bd.co>
Subject: Payment Details for Outstanding Invoices Settlement
Attachment: msg_details_2207713999077713.zip (contains "msg_details_2207713999077713.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/39227/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Sending a UDP request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Enabling autorun
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/410600
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 257569 Sample: msg_details_2207713999077713.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 76 42 cdn.onenote.net 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Yara detected FormBook 2->46 48 .NET source code contains potential unpacker 2->48 50 2 other signatures 2->50 8 msg_details_2207713999077713.exe 7 2->8         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 8->32 dropped 34 C:\...\msg_details_2207713999077713.exe.log, ASCII 8->34 dropped 36 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 8->36 dropped 54 Injects a PE file into a foreign processes 8->54 12 cmd.exe 1 8->12         started        14 cmd.exe 3 8->14         started        17 cmd.exe 1 8->17         started        19 msg_details_2207713999077713.exe 8->19         started        signatures6 process7 file8 21 reg.exe 1 1 12->21         started        24 conhost.exe 12->24         started        38 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 14->38 dropped 26 conhost.exe 14->26         started        40 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 17->40 dropped 28 conhost.exe 17->28         started        30 WerFault.exe 23 9 19->30         started        process9 signatures10 52 Creates an undocumented autostart registry key 21->52
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2b9703840cea3c427f1abf8ec784be06107fe7db48e1921c427b8a8a4254bda5/
Threat name:
ByteCode-MSIL.Trojan.SmartAssembly
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 04:07:49 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=folqhbam5i6ee7y2x6hmpbf6ayih7z63jdqzehccpofiuqsuxwsq._file
Verdict:
malicious
Similar samples:
11ed9b9e406c0dd0f8eebc68a84ed4790d73d051584206acce260627390ec049
NanoCore
478dce496a9eca179f7503d76fa70a27d85e2e8547b81b5c80fc7433122085c3
NanoCore
61ce5023167c9a25d41656e8bd12b05769fac072fc6edf6024641ae2c77c8ece
NanoCore
83159525ad9374d710ea33342d68834a491e3f14ea3f3fa6c39db3f2096c3059
NanoCore
8a5ae789ab7a7fe7d2d2bd23a633ae2d4a06b8b3dd93d7ea716847209067a92d
NanoCore
9e31a9eedd25bd1b57d01f6f9f265cf5d13218f3e3e1866128d061ba5c77c452
NanoCore
b008ed360af03c8b5f1a31bad43238507f56e73a546109d66349cc6638cb406f
NanoCore
b5cfea4c983458975c376cb9ff0ebd5feb4a426dc83c9db60264678a43eef6e9
NanoCore
e224e30554ce3a83c6ef2ca1c81b50ca377486f55bed19078658578bbef844f0
NanoCore
f3c6e6f5bf996841cc3777b0b3769e2092e5a85ad110b46764b45c3681793874
NanoCore
+ 5'079 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200805-ytd2v2ef9j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b9703840cea3c427f1abf8ec784be06107fe7db48e1921c427b8a8a4254bda5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 084b504566d4e10e5cba9681ce59d360ec30f36bd297865cff15d64ec64924c1

NanoCore

Executable exe 2b9703840cea3c427f1abf8ec784be06107fe7db48e1921c427b8a8a4254bda5

(this sample)

  
Dropped by
MD5 d674bc3090eb4eddef33b9b66ee7a074
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39227/
  
Dropped by
SHA256 084b504566d4e10e5cba9681ce59d360ec30f36bd297865cff15d64ec64924c1

Comments