MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36ae717bae1f33b2d8726073f934fce844ca94e9eaa3503fb759d7c4b546ae10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36ae717bae1f33b2d8726073f934fce844ca94e9eaa3503fb759d7c4b546ae10
SHA3-384 hash: f5c1e30debcd3e2f5c7fa0feb1612b2e11220b72880247c8753464e37547fd522d82b654c96f068efb5b7146d7108c92
SHA1 hash: 9c251f1b04f9ae720fde9270aa1a16b05d5ebd6a
MD5 hash: 23af2fb772bd5545965d7027eee074fd
humanhash: ohio-hydrogen-stream-pizza
File name:MV FLAG LAMA_VSL DETAILS.docx.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:452'608 bytes
First seen:2021-08-04 11:44:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:Ehew2rrFYHxwqmPHqWO/6MaWgSLPnJJmw+0mdLNI4BFjjIkE7SClUrQ:girFYRwJPKRR7fm1dC4BxjI1s
Threatray 7'956 similar samples on MalwareBazaar
TLSH T1BEA402017F81DA31D46A0BB288F9CB210BB79D8F7B36920A394C7F1D7B37A911915792
dhash icon 16b60eecceee0ec6 (1 x NanoCore)
Reporter lowmal3
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
445
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MV FLAG LAMA_VSL DETAILS.docx.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-04 11:45:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bcb981a2-cb41-42b8-b0c0-9f4805f45a04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176303/
Detection(s):
SecuriteInfo.com.MachineLearning.Anomalous.100.20502.25128.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/578bd0c7-d01d-4d36-b7fd-16e2954e508e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826802
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/36ae717bae1f33b2d8726073f934fce844ca94e9eaa3503fb759d7c4b546ae10/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 10:27:12 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2xhc65od4z3fwdsmbz7snh45bcmvfhj5krvap5xlhl4jnkgvyia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
061a17b2f76f71715dc416c7fa1baa215fa0b9437ebf14fa95a2a16208fc4e8d
NanoCore
1999b409b4fdabafe9343b5a7d3f4ac0a019fe8f1f5d7ca3caf9fbe051c01ca8
NanoCore
20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6
NanoCore
365f029082236e51ab346d10388e952e52ca1d99e44fa40578b3497b737a10e2
NanoCore
8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e
NanoCore
a87fe4d0a4104d38592687a14002f70993af593fe3b05fe293886c8469a0ab55
NanoCore
abfd412e775e8a81efbd61484a67de9aed008c0e51910d9d8a9051c4ea9856b3
NanoCore
e19c08f599af43e73bb73b7183ce1b8a1e6712640d185d6f29ae0cf165bdfef5
NanoCore
f6a7a0bf925b8afa5152db2c60403056b5d8e53d1daa948be46b123f35e3af90
NanoCore
+ 7'946 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210804-ghfp91xj9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
f0b2e837f5214e91687b600c3d897441ee71c02c1d7e8df46a8e3082ff40d52d
MD5 hash:
752de5fd30cb6bacfa26e7b143fbd49f
SHA1 hash:
ef38585865c0fd0a49192d1851705f8ff032694c
Link:
https://www.unpac.me/results/e1531ae3-5b59-450b-b6ed-df9bf4166350/
SH256 hash:
eee609fd474474c9b2fa5e377ac07ba1f83415f79071285fd36c8ce12c5f19ca
MD5 hash:
4abe5471705ee16443557e1fac51f8ac
SHA1 hash:
0bfc326345f82c51eec584f1c3f8cdc41d705731
Link:
https://www.unpac.me/results/e1531ae3-5b59-450b-b6ed-df9bf4166350/
Parent samples :
6067817a353dc37fdc604639a53a627306c6c2c182b5c1976e14d33fa6375de3
a56f5f192556bdb3fd7af7a7d03750cbb4473b14ecde429a39a1b80ab6c6ab67
SH256 hash:
1297dd50f1f0b043f71dcf1a96109da763052dd51e0f557bf835e867baff0a9c
MD5 hash:
357751ab5a5dff2d3091c8c6c414f376
SHA1 hash:
ec8431b24a5520f54774143ec1abe138d666a602
Link:
https://www.unpac.me/results/e1531ae3-5b59-450b-b6ed-df9bf4166350/
SH256 hash:
3ccda2c2db9ed005ed8f078263240b1c7f86d0d8c6e09986649140a1c9f3b400
MD5 hash:
8726d7d271feaf0698dfd12ccff201dc
SHA1 hash:
5b151d7ae97449034af5f0d41e3ab729e9b4f1b8
Link:
https://www.unpac.me/results/e1531ae3-5b59-450b-b6ed-df9bf4166350/
SH256 hash:
36ae717bae1f33b2d8726073f934fce844ca94e9eaa3503fb759d7c4b546ae10
MD5 hash:
23af2fb772bd5545965d7027eee074fd
SHA1 hash:
9c251f1b04f9ae720fde9270aa1a16b05d5ebd6a
Link:
https://www.unpac.me/results/e1531ae3-5b59-450b-b6ed-df9bf4166350/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36ae717bae1f33b2d8726073f934fce844ca94e9eaa3503fb759d7c4b546ae10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 36ae717bae1f33b2d8726073f934fce844ca94e9eaa3503fb759d7c4b546ae10

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/176303/

Comments