MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d6bdb0d30defb27ebfb460ab164507786c453edac69c31627463cde320b8906. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d6bdb0d30defb27ebfb460ab164507786c453edac69c31627463cde320b8906
SHA3-384 hash: 56dc20032fcc66db58e127d89cd2b52d7d2d90e505e9e05263fe0f202717495426340eb1f339efa40ff2bc813ff27023
SHA1 hash: 34fcdd2779a1ec71fc429f13c6ebaa54e3a6c1c5
MD5 hash: a6f70eb09c451280895884623216dc0c
humanhash: west-pennsylvania-vermont-double
File name:ECHOUVER.EXE
Download: download sample
Signature NanoCore
Create hunting rule
File size:494'080 bytes
First seen:2021-09-24 07:49:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Cxi6YaLOrhHyrKPMXPYsn4ZrhLzVLh7KPUVEU9:Cxi6RghHzPsPIrhLFh7yUV
Threatray 1 similar samples on MalwareBazaar
TLSH T181B4C073D202BDD6DB7E0E74C40019530C59396B937041DCBAB916BAA0B21DCDEA9BB7
File icon (PE):PE icon
dhash icon e4ccccccd4c4cccc (10 x Formbook, 10 x AgentTesla, 5 x Loki)
Reporter cocaman
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ECHOUVER.EXE
Verdict:
Malicious activity
Analysis date:
2021-09-24 07:52:34 UTC
Tags:
rat nanocore trojan
Link:
https://app.any.run/tasks/1852a743-51de-411c-9161-bc9a3f78e59c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191082/
Detection(s):
Win.Malware.Autoit-7340338-0
Create hunting rule

Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c350eb39-1f8a-4257-9ee1-4fc9a7c4a49f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/857158
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489596 Sample: ECHOUVER.EXE Startdate: 24/09/2021 Architecture: WINDOWS Score: 52 24 Multi AV Scanner detection for submitted file 2->24 26 Machine Learning detection for sample 2->26 7 ECHOUVER.EXE 1 2->7         started        process3 dnsIp4 22 192.168.2.1 unknown unknown 7->22 10 powershell.exe 68 7->10         started        12 powershell.exe 7->12         started        14 powershell.exe 7->14         started        process5 process6 16 conhost.exe 10->16         started        18 conhost.exe 12->18         started        20 conhost.exe 14->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d6bdb0d30defb27ebfb460ab164507786c453edac69c31627463cde320b8906/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 07:50:07 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pvv5wdjq335sp273iyflczcqo6dmiu7nvru4gfrhiy6n4mqlreda._file
Verdict:
malicious
Similar samples:
19f7f97c17580f22d17edc3e01639286a09eb587863dd298aebee46125bf5307
NanoCore
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210924-jnqnvsgcep/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
NanoCore
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
devil222.duckdns.org:5050
Unpacked files
SH256 hash:
a2a155496f7670afd994345f07484eabb199271542366471ced327c2fde6df5b
MD5 hash:
5dfa3f1186459dcd679a954bb40b460f
SHA1 hash:
f9f7fd504a49085d9390b83fefa0fb0bf508a4a0
Link:
https://www.unpac.me/results/1b6036fb-d03f-4bd4-9887-7855a3b35dd9/
SH256 hash:
7d6bdb0d30defb27ebfb460ab164507786c453edac69c31627463cde320b8906
MD5 hash:
a6f70eb09c451280895884623216dc0c
SHA1 hash:
34fcdd2779a1ec71fc429f13c6ebaa54e3a6c1c5
Link:
https://www.unpac.me/results/1b6036fb-d03f-4bd4-9887-7855a3b35dd9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d6bdb0d30defb27ebfb460ab164507786c453edac69c31627463cde320b8906

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img dc3b2ac66e1be02a8c008c02f756130e18387ecafd869c4275aff3b9f57fbb3a

NanoCore

Executable exe 7d6bdb0d30defb27ebfb460ab164507786c453edac69c31627463cde320b8906

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 dc3b2ac66e1be02a8c008c02f756130e18387ecafd869c4275aff3b9f57fbb3a
Cape
Cape
https://www.capesandbox.com/analysis/191082/

Comments