MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7493353a29f1591f88e0013c3aa0fb8810f49be33b111e6c5f1e462b16644c45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7493353a29f1591f88e0013c3aa0fb8810f49be33b111e6c5f1e462b16644c45
SHA3-384 hash: 8b9ad568ae4bd77edbca0979da716d6b48567cc7afa3e9c77be952e5abd826969427ff38689e9f34e12a845db15fcfdb
SHA1 hash: 5e8300e05e7e0073929152305f871a2a18cc98b3
MD5 hash: e9f825ea566bba1f1869b39ed4ce7e6a
humanhash: lamp-romeo-shade-grey
File name:Payment Receipt.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:573'952 bytes
First seen:2020-10-14 15:39:54 UTC
Last seen:2020-10-14 17:01:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:3IDrl6lRlJ9JthFRFpN5dxFRlpdptBlRFJHpHY700kAgEE4Y00wAngYoUEAgkk45:d3IxSZRrWmb
Threatray 616 similar samples on MalwareBazaar
TLSH D4C429197A05DF74F41A55B041C2A1F20303EEDC2952A13A7FD2FE9FA97364909DEE82
Reporter abuse_ch
Tags:exe NanoCore


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: success.herosite.pro
Sending IP: 23.111.148.162
From: sells@diamondeng.in
Subject: Payment Receipt
Attachment: Payment Receipt.rar1 (contains "Payment Receipt.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70914/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.16124.12173.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a window
Using the Windows Management Instrumentation requests
Sending a UDP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/491364
Signature
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7493353a29f1591f88e0013c3aa0fb8810f49be33b111e6c5f1e462b16644c45/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 01:42:39 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=osjtkorj6fmr7chaae6dvih3raipjg7dhmir43c7dzdcwftejrcq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1167a7d5a6192107c841eee3d1292914e2ddbe6b661f2c2c41f1c1977ac97372
NanoCore
78be18a8bdab5baf14aa5c195ce9f5636750cd4fee2d3bbc3528f4ed8f9ad9ee
NanoCore
8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c
NanoCore
a183a94f7c049de1770e76be272a29e0ec7b3b4344ef5c4dc2fe9ddd5962b5bd
NanoCore
ab43f4e6ffd099d03057feefa2e8371637e4dc1e7aed8486a4aa9f5f5e194ee4
NanoCore
ab65908627d20a4e4953d8f2834a469ffcc180dbab7a585f4e58b915e18b702e
NanoCore
b7cd8c82d2a6ccebd7b8b9490812b34b9418d325c3a962f293b8f956e5f9a464
NanoCore
d533947ea02478e71f86ece97892e0f87c0bd966395047a6e770158642134f18
NanoCore
db2aa0c18078e1b88151524bd9a42092d6ad226867b128bf6b261084bc99698f
NanoCore
eff9f4e21fdbfe198940895948ec41f1d8e5adb4686fb4f7e72b6e9042054889
NanoCore
+ 606 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201014-x6129j6gq6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
7493353a29f1591f88e0013c3aa0fb8810f49be33b111e6c5f1e462b16644c45
MD5 hash:
e9f825ea566bba1f1869b39ed4ce7e6a
SHA1 hash:
5e8300e05e7e0073929152305f871a2a18cc98b3
Link:
https://www.unpac.me/results/1be88173-c69d-4228-b991-6800027e6ea9/
SH256 hash:
3d1b4a965909ce9601ab8f05118907ce4d005909e32a93f9cc2b4c6bbf08fa3c
MD5 hash:
5696f7f5a0ac20748c61f33c94168dba
SHA1 hash:
bbc48006c6843f109badab01eeaac070dd984f28
Link:
https://www.unpac.me/results/1be88173-c69d-4228-b991-6800027e6ea9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7493353a29f1591f88e0013c3aa0fb8810f49be33b111e6c5f1e462b16644c45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 2cf0f38af03f7f52ac411011359c24c4b777ecd70139deae28ef3f734daece64

NanoCore

Executable exe 7493353a29f1591f88e0013c3aa0fb8810f49be33b111e6c5f1e462b16644c45

(this sample)

  
Dropped by
MD5 afa7eb8322bea6b76c35f032c4ade17f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2cf0f38af03f7f52ac411011359c24c4b777ecd70139deae28ef3f734daece64
Cape
Cape
https://www.capesandbox.com/analysis/70914/

Comments