MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75b393eaeeac4e4f3ef5ef787a853d4e4ed2594522c5421bb0d47ddfa0db412c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75b393eaeeac4e4f3ef5ef787a853d4e4ed2594522c5421bb0d47ddfa0db412c
SHA3-384 hash: 3ff27bc655d9dd47722750e5266a461aeb2177519f431b13d1cd75ce47ceb48e11f27cdd3c2e632c36f4e2004ff37615
SHA1 hash: 192108099153a9aa0d41f08e6fbebf6e1e84d4f6
MD5 hash: 58b5c0edb251675b3d2bcdc4808ed0d6
humanhash: yankee-spaghetti-emma-spaghetti
File name:CV_JOB Request_Pdf___________________________.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:347'136 bytes
First seen:2020-10-06 17:55:40 UTC
Last seen:2020-10-06 19:14:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:0aA40vcrJSrQlHHP/pG+CEPhImc2Gi1S8+Cico8gwW:0aALmlHv/pG+VhImc2G0SfB8fW
Threatray 353 similar samples on MalwareBazaar
TLSH 63746C15B7C9F6F0D3BD5D30200615520105B7D10E83A7AEAF6E7C6A8EE2998097BFE1
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: gmail.com
Sending IP: 95.211.208.25
From: Anita Ruoxi Zhang <megennson@gmail.com>
Subject: CV
Attachment: CV_JOB Request_Pdf___________________________.iso (contains "CV_JOB Request_Pdf___________________________.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68652/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483144
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Creates executable files without a name
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294009 Sample: CV_JOB Request_Pdf_________... Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 65 Found malware configuration 2->65 67 Antivirus detection for dropped file 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 5 other signatures 2->71 8 CV_JOB Request_Pdf___________________________.exe 12 2->8         started        12 ExQTKw.exe 2->12         started        14 ExQTKw.exe 2->14         started        process3 file4 53 C:\Users\user\AppData\Roaming\tmp.exe, PE32 8->53 dropped 55 C:\Users\user\AppData\Local\Temp\.exe, PE32 8->55 dropped 57 C:\Users\user\AppData\...\name.exe.lnk, MS 8->57 dropped 59 2 other malicious files 8->59 dropped 81 Creates executable files without a name 8->81 83 Writes to foreign memory regions 8->83 85 Allocates memory in foreign processes 8->85 87 Injects a PE file into a foreign processes 8->87 16 tmp.exe 2 4 8->16         started        21 cmd.exe 1 8->21         started        23 cmd.exe 3 8->23         started        25 4 other processes 8->25 89 Antivirus detection for dropped file 12->89 91 Multi AV Scanner detection for dropped file 12->91 93 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->93 95 2 other signatures 12->95 signatures5 process6 dnsIp7 61 mail.fairlift.com 217.79.240.130, 49792, 587 HVC-ASUS Netherlands 16->61 47 C:\Users\user\AppData\Roaming\...xQTKw.exe, PE32 16->47 dropped 73 Antivirus detection for dropped file 16->73 75 Multi AV Scanner detection for dropped file 16->75 77 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->77 79 7 other signatures 16->79 27 reg.exe 21->27         started        30 conhost.exe 21->30         started        49 C:\Users\user\AppData\Roaming\...\name.exe, PE32 23->49 dropped 32 conhost.exe 23->32         started        51 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 25->51 dropped 34 iexplore.exe 1 54 25->34         started        36 conhost.exe 25->36         started        38 conhost.exe 25->38         started        40 2 other processes 25->40 file8 signatures9 process10 signatures11 97 Creates an undocumented autostart registry key 27->97 42 iexplore.exe 61 34->42         started        45 iexplore.exe 34->45         started        process12 dnsIp13 63 192.168.2.1 unknown unknown 42->63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75b393eaeeac4e4f3ef5ef787a853d4e4ed2594522c5421bb0d47ddfa0db412c/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 17:57:09 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=owzzh2xovrhe6pxv554hvbj5jzhnewkfelcueg5q2r657ig3iewa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20c6424e353a9e436708bba102710844e52c8ada62ad91e6de65438ee233faff
NanoCore
45c513f108712bc98e81a23e054b3d20de0e7ed152c1e42807ae5deeae7606c5
NanoCore
535341ccd7f05015229ea15f24fa23baa11cc7596f7c79962564c6ed69fa4c64
NanoCore
60db9d2df465b5bfcf2d1c0a71559c57c561d0746a0f3fd7f4e8b9203871cfb8
NanoCore
65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1
NanoCore
818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e
NanoCore
a20e29b157ca333fd7f6503315be7f41df98bf15172c0a8f6cab83451945effe
NanoCore
e8e343cbb5ec9cf1c0d2d4ce34773c03b18cbdc29811acbee054b0731660ad02
NanoCore
eed860fb0b48051582b2f34f20bc47f0fa5cd2273d20df99d339d1058e79113f
NanoCore
fa2bcbff57b3c111ea69b6f47cb4f39c4111b124ef97e3ee00347a175f67e93d
NanoCore
+ 343 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/201006-beekdpe1zx/
Behaviour
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Unpacked files
SH256 hash:
75b393eaeeac4e4f3ef5ef787a853d4e4ed2594522c5421bb0d47ddfa0db412c
MD5 hash:
58b5c0edb251675b3d2bcdc4808ed0d6
SHA1 hash:
192108099153a9aa0d41f08e6fbebf6e1e84d4f6
Link:
https://www.unpac.me/results/f7419297-ef1e-46b4-ae2e-bdc730b7f2c4/
SH256 hash:
487c4c4b2f5f9c547312307f08bae63b06a6cbb045f2d9ad6e4cb6ed135c4f19
MD5 hash:
fa1f765001bef883d3223dbcb4496d06
SHA1 hash:
5eb1594b27e927edf2a2b5d87a1aa41d448a9af5
Link:
https://www.unpac.me/results/f7419297-ef1e-46b4-ae2e-bdc730b7f2c4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
RevengeRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75b393eaeeac4e4f3ef5ef787a853d4e4ed2594522c5421bb0d47ddfa0db412c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso d87cccefffcf29b4acd58d73b786e8d15c052d61aa1fc5523d93b5b900cd5941

NanoCore

Executable exe 75b393eaeeac4e4f3ef5ef787a853d4e4ed2594522c5421bb0d47ddfa0db412c

(this sample)

  
Dropped by
MD5 584faa31a49e70eb0bd2833252b13a29
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68652/
  
Dropped by
SHA256 d87cccefffcf29b4acd58d73b786e8d15c052d61aa1fc5523d93b5b900cd5941

Comments