MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08850fbf72cfca13717b548debdd9da9ddda61bb0d059c1242e72604ce076051. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08850fbf72cfca13717b548debdd9da9ddda61bb0d059c1242e72604ce076051
SHA3-384 hash: 8ac2c044771e5bd5a5c00926b74d7bf6378d1e2891a17a074369196070e57ec8eab065eb193ecc183ee5ca3acf4dfd56
SHA1 hash: 15219b14c3137e70ebd426bdd15197c08943406e
MD5 hash: eb79049267ff4136078752873a808fe0
humanhash: happy-speaker-hawaii-magazine
File name:Payment Order_PDF.vbs
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'536'451 bytes
First seen:2021-07-14 16:01:48 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:GiS2n7MAjBigqF6WvkfAmf4isVOyefGDj+KQ8Gdze4Hplb:+2Y6WvkbAUyJJQzzeWb
Threatray 8'907 similar samples on MalwareBazaar
TLSH T1066512318D83FCA01B3C9631B18E7EED2D402D4F98F4A9AAAE5B319D199D5F1417BE10
Reporter abuse_ch
Tags:NanoCore RAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171759/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Result
Threat name:
Nanocore AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816385
Signature
.NET source code contains potential unpacker
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 448796 Sample: Payment Order_PDF.vbs Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 53 mail.jetport-aero.com 2->53 55 jetport-aero.com 2->55 57 sys2021.linkpc.net 2->57 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 9 other signatures 2->69 8 wscript.exe 3 2->8         started        12 dhcpmon.exe 2->12         started        signatures3 process4 file5 39 C:\Users\user\AppData\Local\Temp\name.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\Temp\file.exe, PE32 8->41 dropped 77 Benign windows process drops PE files 8->77 79 VBScript performs obfuscated calls to suspicious functions 8->79 14 name.exe 4 8->14         started        18 file.exe 1 5 8->18         started        43 C:\Users\user\AppData\...\InternetExp64.exe, PE32 12->43 dropped 45 C:\Users\user\AppData\Local\...\dhcpmon.exe, PE32 12->45 dropped 81 Writes to foreign memory regions 12->81 83 Injects a PE file into a foreign processes 12->83 20 dhcpmon.exe 12->20         started        signatures6 process7 file8 47 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 14->47 dropped 85 Machine Learning detection for dropped file 14->85 87 Writes to foreign memory regions 14->87 89 Injects a PE file into a foreign processes 14->89 22 RegAsm.exe 14->22         started        25 RegAsm.exe 2 14->25         started        27 RegAsm.exe 14->27         started        91 Creates an undocumented autostart registry key 18->91 29 file.exe 1 8 18->29         started        33 file.exe 18->33         started        35 file.exe 18->35         started        37 2 other processes 18->37 signatures9 process10 dnsIp11 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->71 73 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->73 59 191.96.25.26, 11940 AS40676US Chile 29->59 61 sys2021.linkpc.net 23.94.82.41, 11940, 49763, 49764 AS-COLOCROSSINGUS United States 29->61 49 C:\Program Files (x86)\...\dhcpmon.exe, PE32 29->49 dropped 51 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 29->51 dropped 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->75 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08850fbf72cfca13717b548debdd9da9ddda61bb0d059c1242e72604ce076051/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 16:02:08 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bccq7p3sz7fbg4l3ksg6xxm5vho5uyn3buczyesc44tajtqhmbiq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
0cbbdd2c9615f4d2de4e0232ace6b69889a54538444838ac6616a5aa39109c98
NanoCore
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
NanoCore
699d670809bccdbbdb2ae85d80be86d6fd00586c56e0375df34527d4ec6045cf
NanoCore
7a388ead62a8f818b36c9c9a1938c2172c4fa05edfc71307980131c53c69d054
NanoCore
87621b8c28e96dee7b183db273e1865d1ab0edad8c39ce2948a8d6c1b694ca75
NanoCore
876b731a87a9261f5f533bab8b57c6cdc23664268fe8232cb6c65adb37b99c79
NanoCore
90c16db8c607f8ea1d0ed85c003b30692128327b4593e2fb45121a564fac6c11
NanoCore
b07ef4c584528991957dfbc17e62984fe06a6ae8ab441062b3d6910bbedf36b5
NanoCore
cac57f9210fa4d8fb970249750db6886d99f31e503cdeb6e4641bf1c0055afe7
NanoCore
e0fe982389456170eea35ca081a62fc9ee770a27af6058c48059b0c80b4a620a
NanoCore
+ 8'897 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210714-kssdg57gcj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Modifies WinLogon for persistence
NanoCore
Malware Config
C2 Extraction:
sys2021.linkpc.net:11940
191.96.25.26:11940
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08850fbf72cfca13717b548debdd9da9ddda61bb0d059c1242e72604ce076051

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Visual Basic Script (vbs) vbs 08850fbf72cfca13717b548debdd9da9ddda61bb0d059c1242e72604ce076051

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/171759/

Comments