MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 107ff183d6828547a6f3e42d34a5bc32c139adfdde541e1f0a7b64f353116efa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 107ff183d6828547a6f3e42d34a5bc32c139adfdde541e1f0a7b64f353116efa
SHA3-384 hash: 9b1a0a5bf6ec6bd310381ae809a19a811f91331be33e68ee2ff290b362ed7ef615171921bed940a74b962e8178f3b2ce
SHA1 hash: 8a1ec00ccba5ae7faf81c09a97962af91818d85f
MD5 hash: 9fd94ce43208dfc9fdaf3bb368c33253
humanhash: minnesota-march-cat-december
File name:询价到订单 Inquiry-to-Order-001030723 xlsx.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:890'880 bytes
First seen:2023-03-07 13:42:43 UTC
Last seen:2023-03-07 15:50:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:YULXctnQM61q/xhseWukm8ct+EyQC1q/7NYkbJNKHjHvKy4SCJwh:YUTgmI/+ubDHm1e7uQcKRO
Threatray 1'592 similar samples on MalwareBazaar
TLSH T1AA15AFE42F5D7263F7C6A1B3280426A7DBACBA5D6517C0181EE2108FC1CDD7C5252EAE
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b3092c260a3a9e9e (2 x NanoCore)
Reporter malwarelabnet
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
询价到订单 Inquiry-to-Order-001030723 xlsx.exe
Verdict:
Malicious activity
Analysis date:
2023-03-07 04:34:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7931b4e6-181a-4bb3-8527-c23efbbbc44e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372281/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64073f6886426ca5a86acb84/reports/8e184071-d067-4a8b-9a09-3f6b2f85e28e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/107ff183d6828547a6f3e42d34a5bc32c139adfdde541e1f0a7b64f353116efa
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46d898ec-453f-4ae1-843b-0e824e0ec3ac
Result
Threat name:
Nanocore, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189033
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 821909 Sample: #U8be2#U4ef7#U5230#U8ba2#U5... Startdate: 07/03/2023 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 11 other signatures 2->73 8 #U8be2#U4ef7#U5230#U8ba2#U5355_Inquiry-to-Order-001030723_xlsx.exe 7 2->8         started        12 fregOCxCGET.exe 5 2->12         started        14 #U8be2#U4ef7#U5230#U8ba2#U5355_Inquiry-to-Order-001030723_xlsx.exe 2->14         started        process3 file4 57 C:\Users\user\AppData\...\fregOCxCGET.exe, PE32 8->57 dropped 59 C:\Users\...\fregOCxCGET.exe:Zone.Identifier, ASCII 8->59 dropped 61 C:\Users\user\AppData\Local\...\tmpC8D9.tmp, XML 8->61 dropped 63 #U8be2#U4ef7#U5230...030723_xlsx.exe.log, CSV 8->63 dropped 77 Uses schtasks.exe or at.exe to add and modify task schedules 8->77 79 Adds a directory exclusion to Windows Defender 8->79 16 #U8be2#U4ef7#U5230#U8ba2#U5355_Inquiry-to-Order-001030723_xlsx.exe 8 8->16         started        21 powershell.exe 21 8->21         started        23 powershell.exe 21 8->23         started        31 2 other processes 8->31 81 Antivirus detection for dropped file 12->81 83 Multi AV Scanner detection for dropped file 12->83 85 Machine Learning detection for dropped file 12->85 33 2 other processes 12->33 25 powershell.exe 14->25         started        27 powershell.exe 14->27         started        29 schtasks.exe 14->29         started        35 2 other processes 14->35 signatures5 process6 dnsIp7 65 timremcos.ddns.net 213.152.161.118, 22605, 49706, 49707 GLOBALLAYERNL Netherlands 16->65 55 C:\Users\user\AppData\Roaming\...\run.dat, data 16->55 dropped 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->75 37 schtasks.exe 16->37         started        39 conhost.exe 21->39         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        file8 signatures9 process10 process11 53 conhost.exe 37->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/107ff183d6828547a6f3e42d34a5bc32c139adfdde541e1f0a7b64f353116efa/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 02:42:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cb77da6wqkcupjxt4qwtjjn4glattlp53zkb4hykpnspguyrn35a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
08a62cc0bd0c9cc0375aa718245fc96b54acc5e4d29185d9850ac8b9ddad2b80
NanoCore
2a6896423cc62446d775c28aedc44306fbf3ee3c4e15eff8ebb4cf148360b4d9
NanoCore
3d4adf57d91eb47360050e595922701ac9caea76cba29c3aa036f6c7a89e9008
NanoCore
4682c806dd41aaccbb4f8bf3ead4fd322c302f334e3edc6dc06292bbd32335a0
NanoCore
4f7da7d6fb331a8098d4ce354690ffc64d8f0225307b406e722548109e669d4d
NanoCore
65fc6dce29c76aa98c946748b40ef8dae7278002fb6edea0c82c4fc94e03b41a
NanoCore
eedfa2c1826d7e4238b68a11913daeab8c065678f3eb3a6885b9842d0b0fc938
NanoCore
+ 1'582 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230307-qz83xahf4w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Unpacked files
SH256 hash:
fd791a1ee56437ff3897c36dcd13e9d2278d02a130e006ead2a0ace0c2f223f7
MD5 hash:
e0570af6d9aa8b0c762426db67411816
SHA1 hash:
c94360c13a9f3300eeee2e50dfc5feb0f733e744
Link:
https://www.unpac.me/results/99ae23aa-dd89-4901-a0bc-43a16eab8028/
SH256 hash:
1013aea6f73eb78107feae6a77a58df3a8cfd54e722b87e200b436f4ab6ce35a
MD5 hash:
0d4a484987b4c388f0a4b138cf572fb7
SHA1 hash:
2e4cbb3349f5ed59416e1987dc2ef9e210768a90
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/99ae23aa-dd89-4901-a0bc-43a16eab8028/
Parent samples :
107ff183d6828547a6f3e42d34a5bc32c139adfdde541e1f0a7b64f353116efa
be3bcc033afe51eae928468db7d611907861ff588d4de158cc8ae04baa18a8c3
SH256 hash:
5afb9d1b554f92a66975f19c33aaa8738b160ee08d6ccd631f613404bd7191c1
MD5 hash:
4dc0c9bc8b5a7ea149236122c939eca9
SHA1 hash:
d3d452afb965fde083177738ed40ff66c9c555ef
Link:
https://www.unpac.me/results/99ae23aa-dd89-4901-a0bc-43a16eab8028/
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
Link:
https://www.unpac.me/results/99ae23aa-dd89-4901-a0bc-43a16eab8028/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/99ae23aa-dd89-4901-a0bc-43a16eab8028/
SH256 hash:
107ff183d6828547a6f3e42d34a5bc32c139adfdde541e1f0a7b64f353116efa
MD5 hash:
9fd94ce43208dfc9fdaf3bb368c33253
SHA1 hash:
8a1ec00ccba5ae7faf81c09a97962af91818d85f
Link:
https://www.unpac.me/results/99ae23aa-dd89-4901-a0bc-43a16eab8028/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/107ff183d682/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/107ff183d6828547a6f3e42d34a5bc32c139adfdde541e1f0a7b64f353116efa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372281/

Comments