MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ff60a3c69dae6a290214353ee4c15bcfd2567ad8065310bf4c578acc0c32786. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ff60a3c69dae6a290214353ee4c15bcfd2567ad8065310bf4c578acc0c32786
SHA3-384 hash: 1064021298b85ab89b7e6116369bc47aa69297bf4dd62385868571506db9dcf649801a1108dfb19b9f97d27619f5f02e
SHA1 hash: 8295b3034faf9b49445f0b0f45e696ae20fea743
MD5 hash: 72aeae41cbf093463af444d06c2a3ff0
humanhash: item-oxygen-sodium-five
File name:Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).7z
Download: download sample
Signature NanoCore
Create hunting rule
File size:516'772 bytes
First seen:2022-05-13 06:05:39 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:5glgTiwWAkLzPOUg+3JrBm/c4QNSMF5puoSOkWerehJlQF:5aCcr/fBOOugkWXHlQF
TLSH T15CB42397582817D641763993D4EB32FBBAA3A5710A5F2ED903697990BC1A0EC3532F08
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:7z NanoCore zip


Avatar
cocaman
Malicious email (T1566.001)
From: "RAFEEQ RAZALI<rafeeq.razali@perodua.com.my" (likely spoofed)
Received: "from bizcn.com (unknown [212.193.30.204]) "
Date: "12 May 2022 13:18:40 -0700"
Subject: "Circular 01/08/(21): Additional Parts Discount & Extension of Credit Term"
Attachment: "Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed stealer
Link:
https://www.filescan.io/uploads/627df564d5b2a09b4da1b018/reports/f5e3a460-0786-4752-afcf-ea0d0a630ae4/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/5ff60a3c69dae6a290214353ee4c15bcfd2567ad8065310bf4c578acc0c32786
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ff60a3c69dae6a290214353ee4c15bcfd2567ad8065310bf4c578acc0c32786/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-13 06:06:07 UTC
File Type:
Binary (Archive)
Extracted files:
8
AV detection:
17 of 41 (41.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l73aupdj3ltkfebbinj64tavxt6skz5nqbstcc7uyv4kzqgde6da._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220513-gtqvpscfg9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
deranano2.ddns.net:1187
194.31.178:1187
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ff60a3c69dae6a290214353ee4c15bcfd2567ad8065310bf4c578acc0c32786

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 5ff60a3c69dae6a290214353ee4c15bcfd2567ad8065310bf4c578acc0c32786

(this sample)

NanoCore

Executable exe 6035a6b2488b6c073d4b1cda9c9879e207b73e94c3551624667e59cc8719dd01

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6035a6b2488b6c073d4b1cda9c9879e207b73e94c3551624667e59cc8719dd01
  
Dropping
NanoCore
  
Dropping
MD5 717fc8318eb370b1e8ae630af9fe431d

Comments