MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a3a85fd6964b0cf1b61e41cc7c117ada4c8607a0107ad4921dafa69933ef0ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a3a85fd6964b0cf1b61e41cc7c117ada4c8607a0107ad4921dafa69933ef0ac
SHA3-384 hash: fef5cfe2c903fefcc010169ff85698df7d58fccb346c0b463495146dc3f7d85609cd2ccfed35baec6669837baceb5dcf
SHA1 hash: 0dd10acab603b2f1269d05534902b09d38e31ac5
MD5 hash: b737570f9e9a1bdd794f78e3906e61b9
humanhash: edward-emma-mountain-network
File name:PO_6620200947535257662_Arabico.PDF.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:819'712 bytes
First seen:2021-04-06 08:19:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:uA1hpIV1Fn6OAVo1TCIV7B+AcieFXe7SIcNo5fqOedXJuL:pG65o12c7BWGSP4fqXK
Threatray 1'936 similar samples on MalwareBazaar
TLSH 3105F13A3D509444F6981E3AC92B4E6437F0B14F64EED72EF4C92BDC8D6161A422FA17
Reporter abuse_ch
Tags:exe NanoCore


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: [89.41.26.168]
Sending IP: 89.41.26.168
From: Purchase <purchase@arabico.ae>
Subject: URGENT QUOTATION - arabico company dubai
Attachment: PO_6620200947535257662_Arabico.PDF.img (contains "PO_6620200947535257662_Arabico.PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_6620200947535257662_Arabico.PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-04-06 08:49:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e7a0ed60-65d0-4ae2-abaa-2efde01b556a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132629/
Detection(s):
SecuriteInfo.com.ArtemisB737570F9E9A.5628.27912.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/667333
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected Nanocore Rat
Drops PE files to the user root directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 382596 Sample: PO_6620200947535257662_Arab... Startdate: 06/04/2021 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 10 other signatures 2->46 7 PO_6620200947535257662_Arabico.PDF.exe 15 7 2->7         started        process3 file4 28 C:\Users\user\gvvccsccefghhsnd.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->30 dropped 32 C:\...\gvvccsccefghhsnd.exe:Zone.Identifier, ASCII 7->32 dropped 34 PO_662020094753525...Arabico.PDF.exe.log, ASCII 7->34 dropped 50 Drops PE files to the user root directory 7->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->52 11 gvvccsccefghhsnd.exe 14 5 7->11         started        15 cmd.exe 1 7->15         started        signatures5 process6 file7 36 C:\Users\user\...\ghfvjjtjhhjghdgghrba.exe, PE32 11->36 dropped 54 Multi AV Scanner detection for dropped file 11->54 56 Machine Learning detection for dropped file 11->56 58 Writes to foreign memory regions 11->58 60 3 other signatures 11->60 17 InstallUtil.exe 6 11->17         started        21 reg.exe 1 1 15->21         started        24 conhost.exe 15->24         started        signatures8 process9 dnsIp10 38 185.157.161.86, 50005 OBE-EUROPEObenetworkEuropeSE Sweden 17->38 26 C:\Users\user\AppData\Roaming\...\run.dat, data 17->26 dropped 48 Creates an undocumented autostart registry key 21->48 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a3a85fd6964b0cf1b61e41cc7c117ada4c8607a0107ad4921dafa69933ef0ac/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 06:31:20 UTC
AV detection:
10 of 48 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bi5il7ljmsym6g3b4qompqixvwsmqyd2aed22sjb3l5gtez66cwa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0e206f1cf56315c1d4245ca01cac08ebab51decab43760d40e43a754d27da7b6
NanoCore
1974eb0632e98cc3277adaa0074d95fe33602c751a27032d93ae03b09dd9e77d
NanoCore
258856f05819789b47e0bed58b1df479976a355cd30b953b23f9e2f5d286578a
NanoCore
644a0403a3c8254a3846b8c07aa7fdeb2cfe21aa5630ca3100949869f60ae407
NanoCore
72f30e8884110e06b133ecabfdbf523aef8cc5533273aa3e12afee785a5a45bc
NanoCore
8a1531470b71afbae59477a8ba23f4f0c72895700676fd3b5371a2e7f9637b86
NanoCore
d6a8535e674dda41d9b294844be9c27b8af80831044d61354f77b50497b28fde
NanoCore
db591a08743176655e567ddffcbbd79b9e2e31feadc1feb54a0200296a93d53d
NanoCore
e26e07749118e8284c28e50553c62bdbe327234b801ffdf2eedb8663444aa459
NanoCore
fcd1f447849497f6ee7e0d08f59f8220b457b6e9a0d02c227348ac313ba3196b
NanoCore
+ 1'926 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore agilenet evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210406-y9dy3r6x32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Modifies WinLogon for persistence
NanoCore
Malware Config
C2 Extraction:
185.157.161.86:50005
nanopc.linkpc.net:50005
Unpacked files
SH256 hash:
0a3a85fd6964b0cf1b61e41cc7c117ada4c8607a0107ad4921dafa69933ef0ac
MD5 hash:
b737570f9e9a1bdd794f78e3906e61b9
SHA1 hash:
0dd10acab603b2f1269d05534902b09d38e31ac5
Link:
https://www.unpac.me/results/6aa4245e-1132-4cee-bc49-e07e94921669/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/0a3a85fd6964b0cf1b61e41cc7c117ada4c8607a0107ad4921dafa69933ef0ac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img b7384b7eaf02acbb5f0ec66444a04ed3e82b8af4f2bae59eb1a91d1a50dccb6b

NanoCore

Executable exe 0a3a85fd6964b0cf1b61e41cc7c117ada4c8607a0107ad4921dafa69933ef0ac

(this sample)

  
Dropped by
MD5 c0c4e91ec5636cc5309ed35ab6e9f57d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b7384b7eaf02acbb5f0ec66444a04ed3e82b8af4f2bae59eb1a91d1a50dccb6b
Cape
Cape
https://www.capesandbox.com/analysis/132629/

Comments