MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58e46f4659f45eb94baa159364af5719a7e17532cffb36b71f9aa141587c0e0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58e46f4659f45eb94baa159364af5719a7e17532cffb36b71f9aa141587c0e0c
SHA3-384 hash: fbc04ac9768edfdbf422a27e90488cfc15827df22f0066e8cd239eaa1baf26030dca8dab42ea72d5975506dc4e5e8b35
SHA1 hash: fbf8733917018390fff6d9e865e4e6687f93799b
MD5 hash: 39f79348ae7fabf62286fcdcf70f504e
humanhash: three-twelve-purple-fifteen
File name:CZZGDXNVTGADHPFORGSZHD.vbs
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'152 bytes
First seen:2022-08-22 15:35:48 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:IWadta0dvj81bMdX/b1td8dRYe7OgbbkMj8Wldfi4dDdhHmdi6oRe03OAgJMGgim:IWSFGo6kUVnRiZ5lm
Threatray 6'942 similar samples on MalwareBazaar
TLSH T11821D048043FF6CD7E605E04874D081C9AB689FB2D745CF654B184C1432D8B179E85F2
Reporter pr0xylife
Tags:NanoCore vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300310/
Detection(s):
SecuriteInfo.com.VBS.Obfus-178.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
NanoCore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055660
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: NanoCore
Uses cmd line tools excessively to alter registry or file data
Very long command line found
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 688176 Sample: CZZGDXNVTGADHPFORGSZHD.vbs Startdate: 22/08/2022 Architecture: WINDOWS Score: 100 78 Multi AV Scanner detection for domain / URL 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 7 other signatures 2->84 9 powershell.exe 2->9         started        11 powershell.exe 2->11         started        13 powershell.exe 14 23 2->13         started        18 3 other processes 2->18 process3 dnsIp4 20 cmd.exe 9->20         started        23 conhost.exe 9->23         started        25 cmd.exe 11->25         started        27 conhost.exe 11->27         started        62 C:\ProgramData\...\TPJBPHDRDAKRTTRHFNNALF.ps1, ASCII 13->62 dropped 64 C:\ProgramData\...\POLJXSGZFQWBKLFKSLIUYK.vbs, ASCII 13->64 dropped 66 C:\ProgramData\...\POLJXSGZFQWBKLFKSLIUYK.ps1, ASCII 13->66 dropped 92 Bypasses PowerShell execution policy 13->92 29 powershell.exe 36 13->29         started        31 conhost.exe 13->31         started        70 tradeguru.com.pk 104.255.169.179, 49745, 49751, 80 H4Y-TECHNOLOGIESUS United States 18->70 94 Creates processes via WMI 18->94 file5 signatures6 process7 signatures8 86 Uses cmd line tools excessively to alter registry or file data 20->86 88 PowerShell case anomaly found 20->88 33 cmd.exe 20->33         started        36 reg.exe 20->36         started        38 reg.exe 20->38         started        40 cmd.exe 25->40         started        42 reg.exe 25->42         started        44 reg.exe 25->44         started        46 wscript.exe 29->46         started        process9 signatures10 76 PowerShell case anomaly found 33->76 48 powershell.exe 33->48         started        51 powershell.exe 40->51         started        process11 signatures12 72 Writes to foreign memory regions 48->72 74 Injects a PE file into a foreign processes 48->74 53 aspnet_compiler.exe 48->53         started        58 aspnet_compiler.exe 51->58         started        process13 dnsIp14 68 37.0.14.198, 9090 WKD-ASIE Netherlands 53->68 60 C:\Users\user\AppData\Roaming\...\run.dat, data 53->60 dropped 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 53->90 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58e46f4659f45eb94baa159364af5719a7e17532cffb36b71f9aa141587c0e0c/
Threat name:
Script-WScript.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-08-22 15:36:05 UTC
File Type:
Text (VBS)
AV detection:
1 of 39 (2.56%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ldsg6rsz6rplss5kcwjwjl2xdgt6c5jsz75tnny7tkqucwd4byga._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
nanocorerat
Create hunting rule
njrat
Create hunting rule
Similar samples:
0b1396805e736275f16550f3ecc5361cfcccc468094b4ea910ded8eaf430a5b3
NanoCore
36ccab7aced638753e2ccf38501d8a5a8995a30e3b2ac323b6198a44b881159e
NanoCore
45272694709263868523b77d0561757378cc2e8aa7d64c7ed21deaacbdf88b5b
NanoCore
4f7da7d6fb331a8098d4ce354690ffc64d8f0225307b406e722548109e669d4d
NanoCore
923527e188f407ba2bba6d1570506c474519970bc29fbee47d16d01636e7a338
NanoCore
9530780503c903e1d83738e19e754c3756e067612adddcea2f64c25749b6a838
NanoCore
b7b70dcbc64afcbcc9ca6ed5e6a61bac14e32f6f5c24ef005592006098abc76d
NanoCore
+ 6'932 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220822-s1w6vahgfl/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Registers COM server for autorun
NanoCore
Process spawned unexpected child process
Malware Config
C2 Extraction:
37.0.14.198:9090
Dropper Extraction:
http://tradeguru.com.pk/enc.txt
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/58e46f4659f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/58e46f4659f45eb94baa159364af5719a7e17532cffb36b71f9aa141587c0e0c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/300310/

Comments