MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61ce5023167c9a25d41656e8bd12b05769fac072fc6edf6024641ae2c77c8ece. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61ce5023167c9a25d41656e8bd12b05769fac072fc6edf6024641ae2c77c8ece
SHA3-384 hash: 86b93d6d1c2052f48927a73a980437733a7eede9be77cfdb7086ca420f205e8c0d38c9d661ff0db96067e0054c14b849
SHA1 hash: e63c00b12ce68c4492b8251df3a249fd5c3c826e
MD5 hash: 8fffb7619b8621a8e71a5f4c0337db89
humanhash: arkansas-don-aspen-fifteen
File name:BL COPY.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:401'920 bytes
First seen:2020-08-03 09:25:37 UTC
Last seen:2020-08-03 13:32:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:vAF8uo6yFDQrpKVcykBDpmghazBaEqAjZebkR6+p+8xaSA+rUqb0MppMpppppw33:vA06jDQzBfqgZebb+p+8xaR+rUqBJ
Threatray 4'844 similar samples on MalwareBazaar
TLSH 5684F14FF584865DCC6D86B1C99390DCC2631C3BA541EB5A38EDB32E0A7D2D1242A8DF
Reporter jarumlus
Tags:NanoCore

Intelligence

File Origin
# of uploads :
3
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/37654/
Detection(s):
Sanesecurity.Rogue.0hr.20200803-0206.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Sending a UDP request
Unauthorized injection to a system process
Enabling autorun
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/407715
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256037 Sample: BL COPY.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Yara detected FormBook 2->62 64 5 other signatures 2->64 8 BL COPY.exe 7 2->8         started        process3 file4 46 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 8->46 dropped 48 C:\Users\user\AppData\...\BL COPY.exe.log, ASCII 8->48 dropped 50 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 8->50 dropped 78 Injects a PE file into a foreign processes 8->78 12 BL COPY.exe 8->12         started        15 cmd.exe 1 8->15         started        17 cmd.exe 3 8->17         started        20 cmd.exe 1 8->20         started        signatures5 process6 file7 80 Modifies the context of a thread in another process (thread injection) 12->80 82 Maps a DLL or memory area into another process 12->82 84 Sample uses process hollowing technique 12->84 86 Queues an APC in another process (thread injection) 12->86 22 explorer.exe 12->22 injected 26 reg.exe 1 1 15->26         started        28 conhost.exe 15->28         started        38 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 17->38 dropped 30 conhost.exe 17->30         started        40 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 20->40 dropped 32 conhost.exe 20->32         started        signatures8 process9 dnsIp10 52 www.joomlas123.com 199.192.16.98, 49753, 49754, 49755 NAMECHEAP-NETUS United States 22->52 54 millypr.com 34.102.136.180, 49747, 49748, 49749 GOOGLEUS United States 22->54 56 2 other IPs or domains 22->56 74 System process connects to network (likely due to code injection or exploit) 22->74 34 wscript.exe 17 22->34         started        76 Creates an undocumented autostart registry key 26->76 signatures11 process12 file13 42 C:\Users\user\AppData\...\149logrv.ini, data 34->42 dropped 44 C:\Users\user\AppData\...\149logri.ini, data 34->44 dropped 66 Detected FormBook malware 34->66 68 Tries to steal Mail credentials (via file access) 34->68 70 Tries to harvest and steal browser information (history, passwords, etc) 34->70 72 3 other signatures 34->72 signatures14
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61ce5023167c9a25d41656e8bd12b05769fac072fc6edf6024641ae2c77c8ece/
Threat name:
Win32.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 08:19:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
42 of 48 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mhhfaiywpsnclvawk3ul2evqk5u7vqds7rxn6ybemqnofr34r3ha._file
Verdict:
malicious
Similar samples:
2b9703840cea3c427f1abf8ec784be06107fe7db48e1921c427b8a8a4254bda5
NanoCore
83159525ad9374d710ea33342d68834a491e3f14ea3f3fa6c39db3f2096c3059
NanoCore
8791d7218610249f735812d5d7f4f890e0e399c3efab189221bfe96732fc2b1e
NanoCore
8a10ba003c94b5e6576d10a0c4bd01cabef6d87e4811e96c1a028e2cde63f414
NanoCore
8a5ae789ab7a7fe7d2d2bd23a633ae2d4a06b8b3dd93d7ea716847209067a92d
NanoCore
a492b017c3e12fe55493c562ed1304155616cb61b24f6dce0bfcd3eb7a7bdaf5
NanoCore
b008ed360af03c8b5f1a31bad43238507f56e73a546109d66349cc6638cb406f
NanoCore
d2b880fc3d1f874e31d23a37b38f75ceb1162c21ce895aec8dbec7f9c952f8f2
NanoCore
ea74eac48adf2b19c3102578cb14ee0cd1d51f5e5e1da2fb4ab5b0d3f7e91827
NanoCore
f3c6e6f5bf996841cc3777b0b3769e2092e5a85ad110b46764b45c3681793874
NanoCore
+ 4'834 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook evasion
Link:
https://tria.ge/reports/200803-pyz2thze76/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Loads dropped DLL
Blacklisted process makes network request
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Quasar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61ce5023167c9a25d41656e8bd12b05769fac072fc6edf6024641ae2c77c8ece

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

r05 137308647b511d0cc1346fd052eaca8af0520bbd7bc8a9664e28df4f02c754b9

NanoCore

Executable exe 61ce5023167c9a25d41656e8bd12b05769fac072fc6edf6024641ae2c77c8ece

(this sample)

  
Dropped by
MD5 8d1b7606d35905d212df9ff551447e02
  
Dropped by
SHA256 137308647b511d0cc1346fd052eaca8af0520bbd7bc8a9664e28df4f02c754b9
  
Dropped by
NanoCore
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37654/

Comments