MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 448d8312f6f75248834b2d1fc2ceb91aecb488c8f54a54f6c956b1caa7482d6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 448d8312f6f75248834b2d1fc2ceb91aecb488c8f54a54f6c956b1caa7482d6b
SHA3-384 hash: 4ba4b7797df693fc206150630c8b0c277273a8c5061536c831aedf56a38ad95243e8a029e842459919f50fe64ad95b88
SHA1 hash: b6c2441f588d385f0aba8d39e458671e9f4e624d
MD5 hash: 38b36ab8b9be0bb6e501f658969ae2f5
humanhash: fifteen-golf-angel-fourteen
File name:Proof of payment.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:347'480 bytes
First seen:2020-10-14 16:28:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:YGMleByzz9nkbX3L7P/Pv3PbbTD//f3TrD/rXnbHTx5p5PX1R1R9fIzvP3/FPJzp:YGPszhH
Threatray 1'140 similar samples on MalwareBazaar
TLSH AA742FC6F18CEF68DC2F21B6D83BDDA502A7AEAD84A4C116259D794768F33031523D1B
Reporter abuse_ch
Tags:exe NanoCore


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ellyyyyyyyy.kozow.com
Sending IP: 104.168.152.142
From: Angel Luis <account@progate.top>
Subject: Proof of payment
Attachment: Proof of payment.rar (contains "Proof of payment.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70950/
Detection(s):
SecuriteInfo.com.Artemis38B36AB8B9BE.10360.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Creating a file
Creating a window
Creating a file in the %AppData% subdirectories
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491496
Signature
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected Nanocore Rat
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 298304 Sample: Proof of payment.exe Startdate: 14/10/2020 Architecture: WINDOWS Score: 100 58 hastebin.com 2->58 66 Malicious sample detected (through community Yara rule) 2->66 68 Multi AV Scanner detection for dropped file 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 12 other signatures 2->72 8 Proof of payment.exe 18 4 2->8         started        13 Proof of payment.exe 2 2->13         started        15 Proof of payment.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 62 hastebin.com 104.24.127.89, 443, 49734, 49760 CLOUDFLARENETUS United States 8->62 54 C:\Users\user\...\Proof of payment.exe, PE32 8->54 dropped 56 C:\...\Proof of payment.exe:Zone.Identifier, ASCII 8->56 dropped 76 Creates an undocumented autostart registry key 8->76 78 Creates autostart registry keys with suspicious names 8->78 80 Creates multiple autostart registry keys 8->80 82 Hides threads from debuggers 8->82 19 Proof of payment.exe 6 8->19         started        24 timeout.exe 1 8->24         started        26 WerFault.exe 23 9 8->26         started        28 Proof of payment.exe 8->28         started        64 104.24.126.89, 443, 49754 CLOUDFLARENETUS United States 13->64 30 timeout.exe 1 13->30         started        32 timeout.exe 15->32         started        34 timeout.exe 17->34         started        36 timeout.exe 17->36         started        38 timeout.exe 17->38         started        file6 signatures7 process8 dnsIp9 60 gold.ooguy.com 79.134.225.72, 49746, 49747, 49749 FINK-TELECOM-SERVICESCH Switzerland 19->60 52 C:\Users\user\AppData\Roaming\...\run.dat, data 19->52 dropped 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->74 40 conhost.exe 24->40         started        42 conhost.exe 30->42         started        44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 conhost.exe 36->48         started        50 conhost.exe 38->50         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/448d8312f6f75248834b2d1fc2ceb91aecb488c8f54a54f6c956b1caa7482d6b/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 13:53:50 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=isgygexw65jera2lfup4ftvzdlwljcgi6vffj5wjk2y4vj2ifvvq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
013e28fb236b074fae60d3252c602924a886ad4c311310dbb19f85ba1c5e2425
NanoCore
1ca9978db84d8cad7f6a8f838e106799352c386cfa3aee2bbefa195e7fabe166
NanoCore
22221b72f894bb076ead64d8e6c09daf40692586a2b9f3409d91ae72c0a001ee
NanoCore
34f1b02bdccebe61deb518957acd32c9a64ce358102db3be15ed7d46f9945004
NanoCore
56e710ea1f70626aee844269cb7197e2142908b70082908436a77e1ee4d9fce7
NanoCore
5c0f2a6b96505881c5cdb0c3c931ace0d2de9725e3094246973291ad5ca9d0e4
NanoCore
602b19f259171ac577fb9d67952442c71809b4b3977484115883d7ed6be067a3
NanoCore
8caedefa8cf9273522057503dc8c9cabeaea4eb113a612040f1da56f8d85dbbf
NanoCore
8ee9784e9c874e7b40e667115655e0965420c5233238ca1499cdd7c25c79dc6c
NanoCore
f9155082e1d12e318287a25bb73036feab7c75b7f0c3c1c30f457cbecaf9763a
NanoCore
+ 1'130 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
persistence evasion trojan keylogger stealer spyware family:nanocore
Link:
https://tria.ge/reports/201014-2d3x7rfhan/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Modifies WinLogon for persistence
NanoCore
Malware Config
C2 Extraction:
:9889
gold.ooguy.com:9889
Unpacked files
SH256 hash:
448d8312f6f75248834b2d1fc2ceb91aecb488c8f54a54f6c956b1caa7482d6b
MD5 hash:
38b36ab8b9be0bb6e501f658969ae2f5
SHA1 hash:
b6c2441f588d385f0aba8d39e458671e9f4e624d
Link:
https://www.unpac.me/results/737bc028-395c-4b4f-a769-2fdcf867b448/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/448d8312f6f75248834b2d1fc2ceb91aecb488c8f54a54f6c956b1caa7482d6b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 05c449db00bb0f95187a0b785176c827560d8e978c25c9a3b1b83f5e064c8da2

NanoCore

Executable exe 448d8312f6f75248834b2d1fc2ceb91aecb488c8f54a54f6c956b1caa7482d6b

(this sample)

  
Dropped by
MD5 2c24b2c7fa72e6514ff9626c463d84f4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70950/
  
Dropped by
SHA256 05c449db00bb0f95187a0b785176c827560d8e978c25c9a3b1b83f5e064c8da2

Comments