MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d75cf9476dffea873baf2255cb0a9735b5b87c8042e0555229a94a2b3996b9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d75cf9476dffea873baf2255cb0a9735b5b87c8042e0555229a94a2b3996b9b
SHA3-384 hash: fe180d6299c63f307058af92a722b0ec8ad2214e348a3f3596e8bb671df7c7b9bf72cf2443b578baed1d0604f3c5c77f
SHA1 hash: 7f20ffb429354666ad00540195d43f9f8940b396
MD5 hash: dd15cd7f36d0b1e22beaabd248f05822
humanhash: nineteen-cola-double-glucose
File name:PURCHASE ORDER.zip
Download: download sample
Signature NanoCore
Create hunting rule
File size:396'334 bytes
First seen:2022-02-02 05:37:18 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:Ht8bj2TMF+EKLNV1qADqETFU3qlvxYwtQ/A/B:HKbj2TM4E6N3qADxFU6lJYwIWB
TLSH T17E8423E666C3B147635EBE8BBED75182D2DA00009803C15C2C97A696D87EFD3BD7241B
Reporter cocaman
Tags:NanoCore zip


Avatar
cocaman
Malicious email (T1566.001)
From: "international@unitedbiotechindia.com" (likely spoofed)
Received: "from unitedbiotechindia.com (unknown [85.202.169.154]) "
Date: "1 Feb 2022 19:55:51 -0800"
Subject: "PURCHASE ORDER"
Attachment: "PURCHASE ORDER.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.22360.ZipHeur.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61fa18bca0f6a794b3329ae7/reports/457d5863-c1f3-4322-9f9c-36450131848b/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/4d75cf9476dffea873baf2255cb0a9735b5b87c8042e0555229a94a2b3996b9b
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d75cf9476dffea873baf2255cb0a9735b5b87c8042e0555229a94a2b3996b9b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 02:24:19 UTC
File Type:
Binary (Archive)
Extracted files:
7
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jv247fdw377kq4526isvzmfjonnvxb6iaqxakvjctkkkfm4znonq._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220202-gbqf8ahaa5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
derarawfile10.ddns.net:1187
212.192.246250:1187
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d75cf9476dffea873baf2255cb0a9735b5b87c8042e0555229a94a2b3996b9b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 4d75cf9476dffea873baf2255cb0a9735b5b87c8042e0555229a94a2b3996b9b

(this sample)

NanoCore

Executable exe 124e869571209d28166b9e9c99902fcb3e82da8b48dc206093e768b82c9ed75c

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 124e869571209d28166b9e9c99902fcb3e82da8b48dc206093e768b82c9ed75c
  
Dropping
NanoCore

Comments