MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a5ae789ab7a7fe7d2d2bd23a633ae2d4a06b8b3dd93d7ea716847209067a92d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a5ae789ab7a7fe7d2d2bd23a633ae2d4a06b8b3dd93d7ea716847209067a92d
SHA3-384 hash: 8a080fbbd175aba4f7fe929b88521f315db01b6c8883acc7a27325353d11d9b08d2b63d143aaf3cf3665f9936969bcf5
SHA1 hash: fcb23cf174509fa4e72be49eb7f47a85994014f5
MD5 hash: d8a13606c45b5b585402f009044a8677
humanhash: winter-mexico-don-august
File name:Quotation Laminate - GIH.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:499'712 bytes
First seen:2020-08-19 13:41:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:dTi+G7WYststqWHR8j9yqQy2Uc64bqJFlRXzb6w0LWlxzpmaDrjVjnLswhZMHAVx:dT1N6u9QyJcxq1MpWlxz7D50SyE
Threatray 2'241 similar samples on MalwareBazaar
TLSH 82B4C057B266F252CB882FB4D4B1F7BD06F0A778DC13D202B8BC3B5D6559B9A0815223
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: amassgroup.com
Sending IP: 37.48.85.242
From: "Ivy Zhang" <ivy.zhang@amassgroup.com>
Subject: RE: Quotation Request - Backing Laminate - GIH
Attachment: Quotation Laminate - GIH.zip (contains "Quotation Laminate - GIH.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48578/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Creating a file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Enabling autorun
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/438258
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 271606 Sample: Quotation Laminate - GIH.exe Startdate: 20/08/2020 Architecture: WINDOWS Score: 100 53 www.cryptoworld.academy 2->53 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Yara detected FormBook 2->65 67 6 other signatures 2->67 9 Quotation Laminate - GIH.exe 7 2->9         started        signatures3 process4 file5 47 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 9->47 dropped 49 C:\Users\...\Quotation Laminate - GIH.exe.log, ASCII 9->49 dropped 51 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 9->51 dropped 81 Injects a PE file into a foreign processes 9->81 13 Quotation Laminate - GIH.exe 9->13         started        16 cmd.exe 1 9->16         started        18 cmd.exe 3 9->18         started        21 cmd.exe 1 9->21         started        signatures6 process7 file8 83 Modifies the context of a thread in another process (thread injection) 13->83 85 Maps a DLL or memory area into another process 13->85 87 Sample uses process hollowing technique 13->87 89 Queues an APC in another process (thread injection) 13->89 23 explorer.exe 13->23 injected 27 reg.exe 1 1 16->27         started        29 conhost.exe 16->29         started        39 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 18->39 dropped 31 conhost.exe 18->31         started        41 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 21->41 dropped 33 conhost.exe 21->33         started        signatures9 process10 dnsIp11 55 balancer.wixdns.net 185.230.60.211, 49728, 49729, 49730 WIX_COMIL Israel 23->55 57 imessemi.com 14.49.36.141, 49732, 49733, 49734 KIXS-AS-KRKoreaTelecomKR Korea Republic of 23->57 59 4 other IPs or domains 23->59 77 System process connects to network (likely due to code injection or exploit) 23->77 35 cmmon32.exe 17 23->35         started        79 Creates an undocumented autostart registry key 27->79 signatures12 process13 file14 43 C:\Users\user\AppData\...\990logrv.ini, data 35->43 dropped 45 C:\Users\user\AppData\...\990logri.ini, data 35->45 dropped 69 Detected FormBook malware 35->69 71 Tries to steal Mail credentials (via file access) 35->71 73 Tries to harvest and steal browser information (history, passwords, etc) 35->73 75 3 other signatures 35->75 signatures15
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8a5ae789ab7a7fe7d2d2bd23a633ae2d4a06b8b3dd93d7ea716847209067a92d/
Threat name:
ByteCode-MSIL.Infostealer.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 00:18:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rjnopcnlpj76puwsxur2mm5ofvfanoft3wj5p2trnbdsbedhvewq._file
Verdict:
malicious
Similar samples:
0bf6ccdd920a50186f7318c51564ecc8f502302b084a5fda3feadb0d51e40f24
NanoCore
11ed9b9e406c0dd0f8eebc68a84ed4790d73d051584206acce260627390ec049
NanoCore
2b9703840cea3c427f1abf8ec784be06107fe7db48e1921c427b8a8a4254bda5
NanoCore
61ce5023167c9a25d41656e8bd12b05769fac072fc6edf6024641ae2c77c8ece
NanoCore
83159525ad9374d710ea33342d68834a491e3f14ea3f3fa6c39db3f2096c3059
NanoCore
9e31a9eedd25bd1b57d01f6f9f265cf5d13218f3e3e1866128d061ba5c77c452
NanoCore
b008ed360af03c8b5f1a31bad43238507f56e73a546109d66349cc6638cb406f
NanoCore
b5cfea4c983458975c376cb9ff0ebd5feb4a426dc83c9db60264678a43eef6e9
NanoCore
e224e30554ce3a83c6ef2ca1c81b50ca377486f55bed19078658578bbef844f0
NanoCore
f3c6e6f5bf996841cc3777b0b3769e2092e5a85ad110b46764b45c3681793874
NanoCore
+ 2'231 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200819-mayvmgh33j/
Behaviour
Modifies Internet Explorer settings
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.com/mzg/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a5ae789ab7a7fe7d2d2bd23a633ae2d4a06b8b3dd93d7ea716847209067a92d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 5f43af493e29bd1b5b253ae57af23e54669a698013875de4475ea5e9e24ab129

NanoCore

Executable exe 8a5ae789ab7a7fe7d2d2bd23a633ae2d4a06b8b3dd93d7ea716847209067a92d

(this sample)

  
Dropped by
MD5 221bb2fc5aa8e8bd053c2f3813cb5672
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48578/
  
Dropped by
SHA256 5f43af493e29bd1b5b253ae57af23e54669a698013875de4475ea5e9e24ab129

Comments