MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39fb3a29bfde6315ef973541cf304f12382a7435a1fbce06a89ca461e50ea198. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39fb3a29bfde6315ef973541cf304f12382a7435a1fbce06a89ca461e50ea198
SHA3-384 hash: 3a8cc778a368025f6f7c5b3890b68286fbe21954246025eeb2f00796394e46eafd7acbf1034fe7fd2509b9f58383ee3b
SHA1 hash: 35988c6fcf0aaec00f6d9e1c4ae7a2c8ee81b7bc
MD5 hash: fc646daa008f1efc0d5a21276ef3a435
humanhash: single-pennsylvania-september-cat
File name:New Order 013.zip
Download: download sample
Signature NanoCore
Create hunting rule
File size:14'017 bytes
First seen:2022-06-01 10:45:29 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 192:lDSJ5K4xiVY+raOmHtsHaT5z5vY7Ba2SAx9r1brOxKEcjmh5Lk9o/5tlsHZuwn9O:l+Jq7ra1mHaTBu7w2jD+AxrsUO
TLSH T17052D1120552BED5DDB98D7B129394C7A817984D118E1C1A1EC0B6CF391A9C2FF0BC67
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:FormBook NanoCore RAT zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Khoo <len.rob@newnightlynews.com>" (likely spoofed)
Received: "from avelassa.newnightlynews.com (avelassa.newnightlynews.com [193.233.182.132]) "
Date: "01 Jun 2022 02:12:52 -0700"
Subject: "NEW PO"
Attachment: "New Order 013.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.22623.ZipHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/39fb3a29bfde6315ef973541cf304f12382a7435a1fbce06a89ca461e50ea198
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39fb3a29bfde6315ef973541cf304f12382a7435a1fbce06a89ca461e50ea198/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-01 09:27:39 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
16 of 41 (39.02%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hh5tukn73zrrl34xgva46mcpci4cu5bvuh544bvitssgdziougma._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:nanocore campaign:fs44 evasion keylogger persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220601-mty4zagba6/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
NanoCore
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
74.201.28.111:141
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/39fb3a29bfde6315ef973541cf304f12382a7435a1fbce06a89ca461e50ea198

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 39fb3a29bfde6315ef973541cf304f12382a7435a1fbce06a89ca461e50ea198

(this sample)

Formbook

Executable exe 7f04b9072a28a0d1558420fa5734b320b71724afee4096ab46075a6052aea309

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 7f04b9072a28a0d1558420fa5734b320b71724afee4096ab46075a6052aea309
  
Dropping
MD5 5483bf7c0deeba9feb0f1ddccd2c50d2

Comments