MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62146835a7a26a8b596a1cccb45fd0ec7d863b4f92aad6d9262add86a624e9d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62146835a7a26a8b596a1cccb45fd0ec7d863b4f92aad6d9262add86a624e9d6
SHA3-384 hash: 9efa92009b1b1e461f9b405c78fc74ac5f1be9e43b05692fc6c77fd1e94783c7cbe01e7b0a57a15cf8683eafa5e32ac8
SHA1 hash: 8cde0123e40763c66fd4835c0f06ca1faa419adc
MD5 hash: 2d27f6cb6fb31991bac532dbb7092a49
humanhash: south-don-red-vegan
File name:Curriculum Vitae.7z
Download: download sample
Signature NanoCore
Create hunting rule
File size:440'594 bytes
First seen:2021-11-25 13:09:02 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:otfjIW7zqdzo6pMPTl2X4vQfFzo0nySsDjayUyhM/g:otfjj7/zp2Xj3lwjRUyhMY
TLSH T1FD94238F0A568DCCDBF9014EE9447F8EB0E28DCEDC4C2A5C798664EB24E5519E437E84
Reporter cocaman
Tags:7z NanoCore zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Kelly.kelvin" (likely spoofed)
Received: "from hotmail.com (unknown [194.85.248.250]) "
Date: "25 Nov 2021 03:56:52 -0800"
Subject: "Position Applied for: Office of the Assistant Secretary"
Attachment: "Curriculum Vitae.7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisC2EE32F9D7DE.25158.322.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.24377.ZipHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit nanocore obfuscated packed
Link:
https://www.filescan.io/uploads/619f8af002c80febc2a92e4c/reports/6f39735b-7ab0-46e4-b81c-e95b94a693c9/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/62146835a7a26a8b596a1cccb45fd0ec7d863b4f92aad6d9262add86a624e9d6
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62146835a7a26a8b596a1cccb45fd0ec7d863b4f92aad6d9262add86a624e9d6/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-11-25 11:50:55 UTC
File Type:
Binary (Archive)
Extracted files:
19
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mikgqnnhujviwwlkdtglix6q5r6ymo2pskvnnwjgfloynjre5hla._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211125-qdsh2afcdm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
dera31.ddns.net:1187
195.133.18.211:1187
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62146835a7a26a8b596a1cccb45fd0ec7d863b4f92aad6d9262add86a624e9d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 62146835a7a26a8b596a1cccb45fd0ec7d863b4f92aad6d9262add86a624e9d6

(this sample)

NanoCore

Executable exe 84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d
  
Dropping
NanoCore

Comments