MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 213f1a7ffcddc77de699e71a3f9b82d2e3acef690205910340d1f8ddaa8122c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 213f1a7ffcddc77de699e71a3f9b82d2e3acef690205910340d1f8ddaa8122c8
SHA3-384 hash: 65365abea6f683eb01fdb0ba19fb5e1d4289feae9f089c10f2a3b3626aff1f0758acb7b434aa61c9226a281c754d7a56
SHA1 hash: 2aeeb67b51af531a52b6508dbbf8d85924adea49
MD5 hash: 8f570ea7e00014d04a8c9adfdb398e59
humanhash: timing-lamp-helium-lake
File name:PPT-0000084510027306.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'242'112 bytes
First seen:2021-09-29 02:52:00 UTC
Last seen:2021-09-30 07:41:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:blwPOr6WhlFW+kh7teoZjxYW41ur+YVarE8lNenv:Jw2WWhO+khXZjxYb1ihZn
Threatray 518 similar samples on MalwareBazaar
TLSH T125457B2D3A0D1AB2FD9E9D30CD4A2A18BB664F0323E0AAD247EB15D7874F4F55D44B84
File icon (PE):PE icon
dhash icon 182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
3
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PPT-0000084510027306.exe
Verdict:
Malicious activity
Analysis date:
2021-09-29 02:52:47 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/9b3e6f61-9844-448c-aaa9-b9de2b8e5eec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192749/
Detection(s):
SecuriteInfo.com.Variant.Strictor.263793.27556.31282.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/827ef5d6-a151-4ef5-8a52-c5600cc92b81
Result
Threat name:
Nanocore SpyEx a310Logger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/860482
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Binary or sample is protected by dotNetProtector
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected a310Logger
Yara detected Nanocore RAT
Yara detected SpyEx stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492911 Sample: PPT-0000084510027306.exe Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: NanoCore 2->58 60 8 other signatures 2->60 8 PPT-0000084510027306.exe 4 2->8         started        12 explore.exe 2 2->12         started        process3 dnsIp4 50 192.168.2.1 unknown unknown 8->50 80 Writes to foreign memory regions 8->80 82 Tries to delay execution (extensive OutputDebugStringW loop) 8->82 84 Injects a PE file into a foreign processes 8->84 14 vbc.exe 1 5 8->14         started        17 cmd.exe 3 8->17         started        19 cmd.exe 1 8->19         started        86 Multi AV Scanner detection for dropped file 12->86 88 Machine Learning detection for dropped file 12->88 signatures5 process6 file7 42 C:\Users\user\AppData\...\FB_EEC7.tmp.exe, PE32 14->42 dropped 44 C:\Users\user\AppData\...\FB_E8AB.tmp.exe, PE32 14->44 dropped 22 FB_E8AB.tmp.exe 3 1 14->22         started        25 FB_EEC7.tmp.exe 12 14->25         started        46 C:\Users\user\AppData\Roaming\...\explore.exe, PE32 17->46 dropped 48 C:\Users\user\...\explore.exe:Zone.Identifier, ASCII 17->48 dropped 29 conhost.exe 17->29         started        62 Uses schtasks.exe or at.exe to add and modify task schedules 19->62 31 conhost.exe 19->31         started        33 schtasks.exe 1 19->33         started        signatures8 process9 dnsIp10 70 Antivirus detection for dropped file 22->70 72 Machine Learning detection for dropped file 22->72 74 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->74 78 5 other signatures 22->78 35 AppLaunch.exe 22->35         started        38 AppLaunch.exe 2 22->38         started        52 37.0.10.190, 1919, 49792, 49815 WKD-ASIE Netherlands 25->52 40 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 25->40 dropped 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->76 file11 signatures12 process13 signatures14 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->64 66 Tries to steal Mail credentials (via file access) 35->66 68 Tries to harvest and steal browser information (history, passwords, etc) 35->68
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/213f1a7ffcddc77de699e71a3f9b82d2e3acef690205910340d1f8ddaa8122c8/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 02:52:25 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ee7ru7743xdx3zuz44nd7g4c2lr2z33jaiczca2a2h4n3kubelea._file
Verdict:
malicious
Similar samples:
1f68e9becd0375dae05466e372419267cff95793f673b94784b642b662729463
NanoCore
37e1958166a5cb3b5d218fc5c1ce9cb7878e4d3b50499e6670d8d22563044502
NanoCore
898b6e006ded4d6f550104717d9664b27bb88d97fe0b1973684ed3f94ac6e42e
NanoCore
b28ddf6937378f3b331f7f19b968e4f0f785d3799aafe32758b6be2496dd6f69
NanoCore
c15017d56ac6e02cf607d7188d5b4bb5485d9463031ba4effcb29ca84eb83dea
NanoCore
c92748428af1806d4ecc702bce8ad9abcac6b738e7208d3586450cb4944a87a9
NanoCore
de7e8838d1448ac79810b71d637b62165d32cb1932c211e1ea571bd4770b0cea
NanoCore
e5f48b4531abf6b553ac264b9deb28736db14a92e6d3afd196a7c8e11f40e11f
NanoCore
fbcb18aea5eb6c852b359e1567601ba038b34ec14d32ce57f3f175f56d8c018e
NanoCore
+ 508 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210929-dcr5nadcf7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
37.0.10.190:1919
Unpacked files
SH256 hash:
90e18aed65ea3a8d27798046e018ff643fd6886bffb02488200ebb99338b25ee
MD5 hash:
85faf7320265bb28b0534a0a32736efe
SHA1 hash:
c989ff8117c3b0a95d74024b13720ebfb3e572fa
Link:
https://www.unpac.me/results/2d9759af-793c-411a-916e-f886304bfbd7/
SH256 hash:
e52fbe44458d306c06f0775638ac9c56c85f6d998183a84bb4f3db64a2245d8a
MD5 hash:
1c4e6eba8eca4d4209658f92f377c12d
SHA1 hash:
176ff15e8d7646e11e6a65a99e5320853bfb8ef4
Link:
https://www.unpac.me/results/2d9759af-793c-411a-916e-f886304bfbd7/
SH256 hash:
213f1a7ffcddc77de699e71a3f9b82d2e3acef690205910340d1f8ddaa8122c8
MD5 hash:
8f570ea7e00014d04a8c9adfdb398e59
SHA1 hash:
2aeeb67b51af531a52b6508dbbf8d85924adea49
Link:
https://www.unpac.me/results/2d9759af-793c-411a-916e-f886304bfbd7/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/213f1a7ffcdd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/213f1a7ffcddc77de699e71a3f9b82d2e3acef690205910340d1f8ddaa8122c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 213f1a7ffcddc77de699e71a3f9b82d2e3acef690205910340d1f8ddaa8122c8

(this sample)

  
Dropped by
nanocore
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/192749/

Comments