MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3c6e6f5bf996841cc3777b0b3769e2092e5a85ad110b46764b45c3681793874. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3c6e6f5bf996841cc3777b0b3769e2092e5a85ad110b46764b45c3681793874
SHA3-384 hash: 318b2cb5ed7edb2a3dd7a4f5f1daf94d42108ad93cb94bd05c1c182beb7053958b0e598113955e8ecb2a458863b70c82
SHA1 hash: 88fbab67db1c968fba775647f02815e77d124cea
MD5 hash: a97a0a68e5e4aed3de7f7724ffdc99c0
humanhash: cold-five-nebraska-autumn
File name:vbc.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:498'688 bytes
First seen:2020-08-17 15:19:42 UTC
Last seen:2020-08-17 15:54:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:sg1P0fweHOYQ+QilRSRD7HY89uD50SyE:sqPdeuYQ+1lSD7B9uVi
Threatray 2'240 similar samples on MalwareBazaar
TLSH 4FB4CF669216F413DB492F35D5F6FBB946F06710FC53C202B8ADBF1C5A2A79A0812363
Reporter James_inthe_box
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47139/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.22849.15136.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching a process
Creating a file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Enabling autorun
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/433918
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 269356 Sample: vbc.exe Startdate: 17/08/2020 Architecture: WINDOWS Score: 76 44 Malicious sample detected (through community Yara rule) 2->44 46 Yara detected FormBook 2->46 48 .NET source code contains potential unpacker 2->48 50 2 other signatures 2->50 7 vbc.exe 7 2->7         started        process3 file4 32 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 7->32 dropped 34 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 7->36 dropped 54 Injects a PE file into a foreign processes 7->54 11 cmd.exe 1 7->11         started        13 cmd.exe 3 7->13         started        16 cmd.exe 1 7->16         started        18 vbc.exe 7->18         started        signatures5 process6 file7 20 reg.exe 1 1 11->20         started        23 conhost.exe 11->23         started        38 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 13->38 dropped 25 conhost.exe 13->25         started        40 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 16->40 dropped 27 conhost.exe 16->27         started        29 WerFault.exe 20 9 18->29         started        process8 file9 52 Creates an undocumented autostart registry key 20->52 42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 29->42 dropped signatures10
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f3c6e6f5bf996841cc3777b0b3769e2092e5a85ad110b46764b45c3681793874/
Threat name:
ByteCode-MSIL.Trojan.SmartAssembly
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 11:46:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6pdon5n7tfuedtbxo6ylg5u6ecjolkc22eiliz3ewrodnalzhb2a._file
Verdict:
malicious
Similar samples:
0bf6ccdd920a50186f7318c51564ecc8f502302b084a5fda3feadb0d51e40f24
NanoCore
2b9703840cea3c427f1abf8ec784be06107fe7db48e1921c427b8a8a4254bda5
NanoCore
478dce496a9eca179f7503d76fa70a27d85e2e8547b81b5c80fc7433122085c3
NanoCore
61ce5023167c9a25d41656e8bd12b05769fac072fc6edf6024641ae2c77c8ece
NanoCore
83159525ad9374d710ea33342d68834a491e3f14ea3f3fa6c39db3f2096c3059
NanoCore
8a5ae789ab7a7fe7d2d2bd23a633ae2d4a06b8b3dd93d7ea716847209067a92d
NanoCore
9e31a9eedd25bd1b57d01f6f9f265cf5d13218f3e3e1866128d061ba5c77c452
NanoCore
b008ed360af03c8b5f1a31bad43238507f56e73a546109d66349cc6638cb406f
NanoCore
b5cfea4c983458975c376cb9ff0ebd5feb4a426dc83c9db60264678a43eef6e9
NanoCore
e224e30554ce3a83c6ef2ca1c81b50ca377486f55bed19078658578bbef844f0
NanoCore
+ 2'230 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200817-sjxrvv6tte/
Behaviour
Modifies Internet Explorer settings
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.com/mzg/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3c6e6f5bf996841cc3777b0b3769e2092e5a85ad110b46764b45c3681793874

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/47139/
  
URLhaus
https://urlhaus.abuse.ch/url/434712/

Comments