MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3037bc78a5195bafc18d9b77704137680db76d2261895e96d876753bb2598b43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3037bc78a5195bafc18d9b77704137680db76d2261895e96d876753bb2598b43
SHA3-384 hash: 8ea5f21cf167d33bf5901b7f00976a781e0b1ea758b2d86655d743c9756141518b79f5a1d6315dbba6b89cc3313e7cdb
SHA1 hash: b820684ec4f06ecd27ca84bfd5c36f83d14144fa
MD5 hash: 470009d741e322fe3c1325400818adb1
humanhash: minnesota-solar-stream-seventeen
File name:PRODUCT INVOICES_PDF.vbs
Download: download sample
Signature NanoCore
Create hunting rule
File size:2'159'608 bytes
First seen:2021-07-30 17:22:47 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:OQOFZDEVQiHz09jcAVQYc7RtyXZxolR7UMx9ke7zxV1a3Xh6gvEycpryXxoOR7Un:u/g/BdRWol1nPkMgvMpgoOfuj
Threatray 9'931 similar samples on MalwareBazaar
TLSH T1A9A5AEB042F51FD4FF6C081688540B8A4CD11A8B8281ADDDD26E3BF96ED7FC9C6153A6
Reporter abuse_ch
Tags:NanoCore RAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
457
Origin country :
n/a
Vendor Threat Intelligence
Detection:
nanocore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175325/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Result
Threat name:
Nanocore AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824611
Signature
.NET source code contains potential unpacker
Benign windows process drops PE files
Creates an undocumented autostart registry key
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457022 Sample: PRODUCT INVOICES_PDF.vbs Startdate: 30/07/2021 Architecture: WINDOWS Score: 100 37 sys2021.linkpc.net 2->37 43 Malicious sample detected (through community Yara rule) 2->43 45 Sigma detected: NanoCore 2->45 47 Detected Nanocore Rat 2->47 49 6 other signatures 2->49 8 wscript.exe 3 2->8         started        12 dhcpmon.exe 2 2->12         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\Temp\name.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\Local\Temp\file.exe, PE32 8->33 dropped 53 Benign windows process drops PE files 8->53 55 VBScript performs obfuscated calls to suspicious functions 8->55 14 name.exe 3 8->14         started        18 file.exe 1 5 8->18         started        signatures6 process7 file8 35 C:\Users\user\AppData\...xplorer64.exe, PE32 14->35 dropped 57 Machine Learning detection for dropped file 14->57 59 Injects a PE file into a foreign processes 14->59 20 name.exe 1 8 14->20         started        61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->61 63 Creates an undocumented autostart registry key 18->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->65 25 file.exe 2 18->25         started        signatures9 process10 dnsIp11 39 192.168.2.1 unknown unknown 20->39 41 sys2021.linkpc.net 20->41 27 C:\Program Files (x86)\...\dhcpmon.exe, PE32 20->27 dropped 29 C:\Users\user\AppData\Roaming\...\run.dat, data 20->29 dropped 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->51 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3037bc78a5195bafc18d9b77704137680db76d2261895e96d876753bb2598b43/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 17:23:04 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ga33y6ffdfn27qmntn3xaqjxnag3o3jcmgev5fwyoz2txmszrnbq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
08850fbf72cfca13717b548debdd9da9ddda61bb0d059c1242e72604ce076051
NanoCore
1d5026cbfdcd2825631dd77f8f5149e275f03ec78390f94e63dad83d778569c1
NanoCore
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
NanoCore
699d670809bccdbbdb2ae85d80be86d6fd00586c56e0375df34527d4ec6045cf
NanoCore
876b731a87a9261f5f533bab8b57c6cdc23664268fe8232cb6c65adb37b99c79
NanoCore
c634652d912ddd573ec0b3650031251a050e7527c1275f052fa4473be8d30584
NanoCore
e77e8e6bee74e74ded1cc8ff3e83ffa7483aa2ab68af5562798ad9b18244f389
NanoCore
edb5f7136ced51208b8c6503f67f9b9153c4ac47a4876b32d82e69208de51509
NanoCore
+ 9'921 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210730-cvamgzjnkn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Modifies WinLogon for persistence
NanoCore
Malware Config
C2 Extraction:
sys2021.linkpc.net:11940
23.94.82.41:11940
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3037bc78a5195bafc18d9b77704137680db76d2261895e96d876753bb2598b43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Double_Base64_Encoded_Executable
Create hunting rule
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Visual Basic Script (vbs) vbs 3037bc78a5195bafc18d9b77704137680db76d2261895e96d876753bb2598b43

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175325/

Comments