MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 480e1fcbda99f72a92429194acfc2aa7824ed12c1296a0396f2e44493c7291b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	480e1fcbda99f72a92429194acfc2aa7824ed12c1296a0396f2e44493c7291b1
SHA3-384 hash:	a7c5de2c06be2a94b849eaad8f24bbb6b867469ade4bb1b260745fe6cbd6f1700f36e04a9b7fdaa911b02ef2096f2b4e
SHA1 hash:	21411f622c26225a1702facc8372659915e18e4b
MD5 hash:	9edef69e2c938cb08ddadf9839796f17
humanhash:	aspen-arizona-connecticut-carpet
File name:	Quote.vbs
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	634'809 bytes
First seen:	2022-01-31 12:51:06 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	12288:ViBsrvGpxW6yKBZc4VMZu0Cg/w43K1nycLhBAkas:V8srvGfRYBudXy3s
TLSH	T1B5D4BF332302BC8977BB1F89B90529630CEA78DBA393902DFBC51A9D10AB454DD5CDB5
Reporter	abuse_ch
Tags:	NanoCore RAT vbs

abuse_ch

NanoCore C2:
107.173.60.45:54955

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
107.173.60.45:54955	https://threatfox.abuse.ch/ioc/338453/

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/228434/

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61f7db76fc92af0d80a8368f/reports/aa08ec35-d03a-4349-b484-09c006dfa20e/overview

Result

Verdict:

MALICIOUS

Details

Base64 Encoded URL

Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.

Result

Threat name:

Nanocore AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930832

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/480e1fcbda99f72a92429194acfc2aa7824ed12c1296a0396f2e44493c7291b1/

Threat name:

Script-WScript.Trojan.Heuristic

Status:

Malicious

First seen:

2022-01-31 12:52:09 UTC

File Type:

Text (VBS)

AV detection:

12 of 43 (27.91%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jahb7s62th3svescsgkkz7bku6be5ujmcklkaolpfzcespdssgyq._file

Verdict:

malicious

Label(s):

agenttesla

nanocorerat

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:agenttesla family:nanocore evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/220131-p33jvshgc3/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Adds Run key to start application

Checks whether UAC is enabled

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Sets service image path in registry

AgentTesla Payload

AgentTesla

NanoCore

Malware Config

C2 Extraction:

107.173.60.45:54955
sys2021.linkpc.net:54955
https://api.telegram.org/bot5127674234:AAHGscjRk7JCDDCItFO4GPZfan-K7Hc89Z8/sendDocument

Malware family:

NanoCore

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/480e1fcbda99/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Nanocore

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/480e1fcbda99f72a92429194acfc2aa7824ed12c1296a0396f2e44493c7291b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/228434/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample