MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d5026cbfdcd2825631dd77f8f5149e275f03ec78390f94e63dad83d778569c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d5026cbfdcd2825631dd77f8f5149e275f03ec78390f94e63dad83d778569c1
SHA3-384 hash: 4cebbc21e026b57f3ff5cada335719b4d916a7c945f90c16ab44f313ee167a4be9e44ee58dc1bd54f36cc092649c1421
SHA1 hash: c0b64b85e13865a76136ce2d5674ebca53246566
MD5 hash: b6a05c3a37dde3db4a8005dfaeda9e97
humanhash: nitrogen-oklahoma-table-apart
File name:Inv-04_PDF.vbs
Download: download sample
Signature NanoCore
Create hunting rule
File size:2'437'367 bytes
First seen:2021-07-21 17:51:43 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:Rqf8Lpx7oAbNFypaURT3UuL42eUyp2CLHiLG8b5/tXC5I3ASYovcOpiWmSi3D0IA:0kfpg5/byl8b5lGIQY0Opg0IDhO
Threatray 9'495 similar samples on MalwareBazaar
TLSH T134B5023086442EDC5B64DF3AF1793A095FF01E4B9856A0CDBBD73D43EEDA8C8A51A160
Reporter abuse_ch
Tags:NanoCore vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173072/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Result
Threat name:
Nanocore AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819659
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Benign windows process drops PE files
Creates an undocumented autostart registry key
Detected Nanocore Rat
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452070 Sample: Inv-04_PDF.vbs Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Sigma detected: NanoCore 2->45 47 8 other signatures 2->47 7 wscript.exe 3 2->7         started        11 dhcpmon.exe 4 2->11         started        process3 file4 29 C:\Users\user\AppData\Local\Temp\file2.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\Temp\file1.exe, PE32 7->31 dropped 53 Benign windows process drops PE files 7->53 55 VBScript performs obfuscated calls to suspicious functions 7->55 13 file2.exe 1 6 7->13         started        17 file1.exe 3 7->17         started        19 conhost.exe 11->19         started        signatures5 process6 file7 37 C:\Users\user\AppData\...xplorer64int.exe, PE32 13->37 dropped 39 C:\Users\user\AppData\...\InstallUtil.exe, PE32 13->39 dropped 57 Multi AV Scanner detection for dropped file 13->57 59 Creates an undocumented autostart registry key 13->59 61 Machine Learning detection for dropped file 13->61 21 InstallUtil.exe 13->21         started        24 InstallUtil.exe 1 6 13->24         started        63 Writes to foreign memory regions 17->63 65 Injects a PE file into a foreign processes 17->65 27 InstallUtil.exe 2 17->27         started        signatures8 process9 file10 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->51 33 C:\Users\user\AppData\Roaming\...\run.dat, International 24->33 dropped 35 C:\Program Files (x86)\...\dhcpmon.exe, PE32 24->35 dropped signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d5026cbfdcd2825631dd77f8f5149e275f03ec78390f94e63dad83d778569c1/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 17:52:10 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dvicns75zuuckyy5257y6ukj4j27apwhqoipsttd3lmd254fnhaq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
08850fbf72cfca13717b548debdd9da9ddda61bb0d059c1242e72604ce076051
NanoCore
0cbbdd2c9615f4d2de4e0232ace6b69889a54538444838ac6616a5aa39109c98
NanoCore
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
NanoCore
699d670809bccdbbdb2ae85d80be86d6fd00586c56e0375df34527d4ec6045cf
NanoCore
876b731a87a9261f5f533bab8b57c6cdc23664268fe8232cb6c65adb37b99c79
NanoCore
c634652d912ddd573ec0b3650031251a050e7527c1275f052fa4473be8d30584
NanoCore
e0fe982389456170eea35ca081a62fc9ee770a27af6058c48059b0c80b4a620a
NanoCore
e77e8e6bee74e74ded1cc8ff3e83ffa7483aa2ab68af5562798ad9b18244f389
NanoCore
+ 9'485 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210721-jy28z58l2e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Modifies WinLogon for persistence
NanoCore
Malware Config
C2 Extraction:
sys2021.linkpc.net:11940
23.94.82.41:11940
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d5026cbfdcd2825631dd77f8f5149e275f03ec78390f94e63dad83d778569c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Double_Base64_Encoded_Executable
Create hunting rule
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Visual Basic Script (vbs) vbs 1d5026cbfdcd2825631dd77f8f5149e275f03ec78390f94e63dad83d778569c1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/173072/

Comments