MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1676e36eec12118ae10d1f090b6bf269d3f3c3ff771ecb0422231946415b2b13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1676e36eec12118ae10d1f090b6bf269d3f3c3ff771ecb0422231946415b2b13
SHA3-384 hash: b399475a3507dcb2afd88305f3934b4a359e9a664ad20ffd9ea86f4eda6a25d5466ac8673983167c0f3b4c65367bd5b8
SHA1 hash: 37f333ef38ec5b0befea8082ee5f915ede76f9a6
MD5 hash: 0a58823cf240ad64edd991a378a3190d
humanhash: mexico-alabama-robert-london
File name:Payment Note.jpg.bat
Download: download sample
Signature NanoCore
Create hunting rule
File size:3'689'984 bytes
First seen:2020-07-10 18:00:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:4WFxWC31rEIGphM3jcuj/WXrX8qjsX2UCppghVhBSishT0hp2t6RXCvZhpjVQyJ8:4gxMYzWb30YR/Bj6cd8
TLSH F7060E2939D69018ED771F3544F8BDD2FE6A7B463A528A5D6097030C4E02A87FF1262F
Reporter abuse_ch
Tags:bat NanoCore RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WTA.29827.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1676e36eec12118ae10d1f090b6bf269d3f3c3ff771ecb0422231946415b2b13/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-10 18:02:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cz3og3xmciiyvyind4eqw27snhj7hq77o4pmwbbcemmumqk3fmjq._file
Verdict:
unknown
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
evasion trojan keylogger stealer spyware family:nanocore persistence
Link:
https://tria.ge/reports/200710-x5fq7bwqzn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Loads dropped DLL
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
3.tcp.ngrok.io:20027
20027:20027
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 1676e36eec12118ae10d1f090b6bf269d3f3c3ff771ecb0422231946415b2b13

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/24479/

Comments


Avatar
mrio commented on 2020-08-11 07:19:18 UTC

C2: 3.tcp.ngrok.io:20027