MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fd371ac45f0ccc9b1902f841c9d644d972857def81521ee8562b8146b15411f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fd371ac45f0ccc9b1902f841c9d644d972857def81521ee8562b8146b15411f
SHA3-384 hash: 15efd12efabb94e50d513b35afcec73320b027a6428b9dfab3d6435d7e6f74bc2027374340dd7a7ca2d245bb634c7a74
SHA1 hash: b68d311a4d0e421d8405e9f53c169351d353f90d
MD5 hash: 36d2b4a34d0bd8ec0ca28d0ccbf0932b
humanhash: maine-carpet-berlin-johnny
File name:arrival notice-ETA 10th-11,2020.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:484'864 bytes
First seen:2020-11-03 11:10:29 UTC
Last seen:2020-11-03 14:29:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:kANF8cuQQrlYrbaviLE2enyMnQSG7xfXdKWQ8+QV3WGrE:kANFYQgInYbyDSCf4WQnQIkE
Threatray 2'781 similar samples on MalwareBazaar
TLSH B7A43B19FB0DDF70E11A7AB49402D0F10011FDD5AD96B18ABBC57F1F79B298A089AF42
Reporter cocaman
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
3
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/82017/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.gh.6881.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Possible injection to a system process
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/519086
Signature
Creates an undocumented autostart registry key
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308643 Sample: arrival notice-ETA 10th-11,... Startdate: 03/11/2020 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 8 other signatures 2->65 10 arrival notice-ETA 10th-11,2020.exe 7 2->10         started        process3 file4 47 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 10->47 dropped 49 arrival notice-ETA 10th-11,2020.exe.log, ASCII 10->49 dropped 51 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 10->51 dropped 77 Injects a PE file into a foreign processes 10->77 14 arrival notice-ETA 10th-11,2020.exe 10->14         started        17 cmd.exe 1 10->17         started        19 cmd.exe 3 10->19         started        22 cmd.exe 1 10->22         started        signatures5 process6 file7 79 Modifies the context of a thread in another process (thread injection) 14->79 81 Maps a DLL or memory area into another process 14->81 83 Sample uses process hollowing technique 14->83 85 Queues an APC in another process (thread injection) 14->85 24 explorer.exe 14->24 injected 28 reg.exe 1 1 17->28         started        30 conhost.exe 17->30         started        43 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 19->43 dropped 32 conhost.exe 19->32         started        45 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 22->45 dropped 34 conhost.exe 22->34         started        signatures8 process9 dnsIp10 53 www.americontractors.com 154.196.151.21, 49767, 80 HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK Seychelles 24->53 55 crossfitgrapheneatl.com 34.102.136.180, 49761, 80 GOOGLEUS United States 24->55 57 5 other IPs or domains 24->57 73 System process connects to network (likely due to code injection or exploit) 24->73 36 cmstp.exe 24->36         started        75 Creates an undocumented autostart registry key 28->75 signatures11 process12 signatures13 67 Modifies the context of a thread in another process (thread injection) 36->67 69 Maps a DLL or memory area into another process 36->69 71 Tries to detect virtualization through RDTSC time measurements 36->71 39 cmd.exe 1 36->39         started        process14 process15 41 conhost.exe 39->41         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3fd371ac45f0ccc9b1902f841c9d644d972857def81521ee8562b8146b15411f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 10:33:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
37
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h7jxdlcf6dgmtmmqf6cbzhlejwlsqv667aksd3ufmk4bi2yviepq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
0c3afc73b1560d5d817104a616325e9f7a825e6b0158dfa0469b423c8bfbdf64
NanoCore
436314d8b9afa67d0e70b72b19c6d3d3309983980b65ca857d46b78fdfc40d56
NanoCore
5354b3a337fe1f19dbbcd98ebbea35e58fd953c86b99cb1678d8f9c849e8d55c
NanoCore
6308def230fca10ddd70426bb31764afd2564530a7ff775cf28e5e958c5bd37a
NanoCore
8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c
NanoCore
b7d55f5145ac91a9b2e9d1b98f65bf6844248ebd6612be241e2fe5755dcf0733
NanoCore
ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3
NanoCore
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
NanoCore
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
NanoCore
fa1c05c7ea1e94e08982755ca1d13051a6cd334fa3e93aa98b5bcc2ebb910f59
NanoCore
+ 2'771 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201103-2ze522t9ws/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.impactheroes.agency/bns/
Unpacked files
SH256 hash:
3fd371ac45f0ccc9b1902f841c9d644d972857def81521ee8562b8146b15411f
MD5 hash:
36d2b4a34d0bd8ec0ca28d0ccbf0932b
SHA1 hash:
b68d311a4d0e421d8405e9f53c169351d353f90d
Link:
https://www.unpac.me/results/5ee7412c-e25d-461f-b4f5-aca6de2b7228/
SH256 hash:
ccca4071db08dd8cb33ab702b30e036138e666fffc31d033f2ca51685fa54275
MD5 hash:
efae9834baaa803c53b9f56d661f6ea2
SHA1 hash:
7f0f15c618d2ed089afdee69a331d213f1267620
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5ee7412c-e25d-461f-b4f5-aca6de2b7228/
Parent samples :
436314d8b9afa67d0e70b72b19c6d3d3309983980b65ca857d46b78fdfc40d56
3fd371ac45f0ccc9b1902f841c9d644d972857def81521ee8562b8146b15411f
88ae2d739cf1bb2cb87e55498b46f53cc6c641ede1cf5619af8d0a128a1a2a39
e38e6ac839b8009c1c6d467ed4206f912c39a15af7a1fa7ba4a2a854e441fe50
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3fd371ac45f0ccc9b1902f841c9d644d972857def81521ee8562b8146b15411f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 9fce2914755aae65de6c6897837a74c849afc036b8ed80b81755d986513f931c

NanoCore

Executable exe 3fd371ac45f0ccc9b1902f841c9d644d972857def81521ee8562b8146b15411f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 9fce2914755aae65de6c6897837a74c849afc036b8ed80b81755d986513f931c
Cape
Cape
https://www.capesandbox.com/analysis/82017/

Comments