MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d862f96808968bbe9ca5bf571335f86cd100faa6d131a1e148ef8c54f5a4eed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d862f96808968bbe9ca5bf571335f86cd100faa6d131a1e148ef8c54f5a4eed
SHA3-384 hash: c1156b1a4091d61a9cff3b860226da6a40c984fa08cdd809b50168e3610f3d9f971b10281e8bac42dcca64e741ccb810
SHA1 hash: baf26cfe3c8ba84fc3da7cc2da74741130f2bb21
MD5 hash: 379482795da0042d0070e6ae599a369b
humanhash: neptune-black-alanine-bakerloo
File name:CN-Invoice-XXXXX9808-19011143287989.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:209'408 bytes
First seen:2021-02-22 07:30:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 1536:DVz5TWmVK3zUNBhgT2tPo55rKrFUcDOC53bzf01I:DVRV+bIFNMI
Threatray 70 similar samples on MalwareBazaar
TLSH 95247303A92D99B2EF38A33E40050CC991F51D9C56C9B21A4BB8BD3DD97D4621D1FE2E
Reporter abuse_ch
Tags:exe FedEx NanoCore


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: 64.188.20.113.static.quadranet.com
Sending IP: 64.188.20.113
From: FedEx Express - Do Not Reply <Carrie.Park@expeditors.com>
Reply-To: nopeply-fedeoxngr@iname.com
Subject: [CN]: FedEx Invoice 账单 (CustomerAccount -XXXXX9808-19011143287989)
Attachment: CN-Invoice-XXXXX9808-19011143287989.iso (contains "CN-Invoice-XXXXX9808-19011143287989.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLAgent06
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118248/
Detection(s):
Win.Malware.Noon-9829285-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending an HTTP GET request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613792
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Creates an autostart registry key pointing to binary in C:\Windows
Detected Nanocore Rat
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355908 Sample: CN-Invoice-XXXXX9808-190111... Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Detected Nanocore Rat 2->64 66 8 other signatures 2->66 7 CN-Invoice-XXXXX9808-19011143287989.exe 23 10 2->7         started        12 explorer.exe 2->12         started        14 explorer.exe 2->14         started        16 6 other processes 2->16 process3 dnsIp4 58 coroloboxorozor.com 104.21.71.230, 49733, 49767, 80 CLOUDFLARENETUS United States 7->58 42 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 7->42 dropped 44 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 7->44 dropped 46 CN-Invoice-XXXXX98...11143287989.exe.log, ASCII 7->46 dropped 48 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->48 dropped 68 Creates an autostart registry key pointing to binary in C:\Windows 7->68 70 Adds a directory exclusion to Windows Defender 7->70 72 Tries to delay execution (extensive OutputDebugStringW loop) 7->72 76 2 other signatures 7->76 18 AdvancedRun.exe 1 7->18         started        21 cmd.exe 7->21         started        23 powershell.exe 26 7->23         started        25 powershell.exe 7->25         started        27 svchost.exe 12->27         started        74 Drops executables to the windows directory (C:\Windows) and starts them 14->74 30 svchost.exe 14->30         started        file5 signatures6 process7 dnsIp8 50 192.168.2.1 unknown unknown 18->50 32 AdvancedRun.exe 18->32         started        34 conhost.exe 21->34         started        36 timeout.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        52 172.67.172.17, 49761, 80 CLOUDFLARENETUS United States 27->52 54 coroloboxorozor.com 27->54 78 System process connects to network (likely due to code injection or exploit) 27->78 80 Multi AV Scanner detection for dropped file 27->80 82 Machine Learning detection for dropped file 27->82 84 Tries to delay execution (extensive OutputDebugStringW loop) 27->84 56 coroloboxorozor.com 30->56 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d862f96808968bbe9ca5bf571335f86cd100faa6d131a1e148ef8c54f5a4eed/
Threat name:
ByteCode-MSIL.Downloader.BaseLoader
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 07:31:26 UTC
AV detection:
14 of 47 (29.79%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pwdc7fuarfulx2oklp2xcm27q3grad5knujruhqur34mkt22j3wq._file
Verdict:
malicious
Similar samples:
07971958696b43eead2da2114b7a3965b492cdae39843078f16d56ad331427fe
NanoCore
19ea2b24f4d65b8169f982300901dba2253a880e3bd3f07dfcf933c0fe67a139
NanoCore
2ddbf5aed765723b948699526bc2a9a49864dc1181e21f4c51fe613aa8d0ca7e
NanoCore
3ada27c7c8e3828ea8ab4b6e4b8372b879c90ea95306a2a5ba30758cf097399d
NanoCore
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
NanoCore
638c7d6859e792cc15836509bd58bf468b755fee3dcf669d2dcf328dd0029f12
NanoCore
a0ebcb3078763eb8acca534831ef9ca1a213347328698aa3cda7c5bd23cd81d8
NanoCore
a0f4dd8f54f51cb4d1243ecf21b2e5d578464ec54ba9b8e98b1afdb17465b4bc
NanoCore
db3691bd029c0e2db482666cdae1be9dbd30e488eeffc6fbffb1b52976705c99
NanoCore
ea34ce44176906af3dd7ec1e4d9db0df144f5769ce3298d88864698c54164c9b
NanoCore
+ 60 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210222-14z78v4sye/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
7d862f96808968bbe9ca5bf571335f86cd100faa6d131a1e148ef8c54f5a4eed
MD5 hash:
379482795da0042d0070e6ae599a369b
SHA1 hash:
baf26cfe3c8ba84fc3da7cc2da74741130f2bb21
Link:
https://www.unpac.me/results/2b9f91a6-e0eb-43a8-9a6e-afb7f6ee6b3f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso 38063246fb1b21967dc05b8ce6bbce3fe0cb089d8735494ff2414213e6c8e1af

NanoCore

Executable exe 7d862f96808968bbe9ca5bf571335f86cd100faa6d131a1e148ef8c54f5a4eed

(this sample)

  
Dropped by
MD5 b0ee4b5e23cde22beef77350afb4d563
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118248/
  
Dropped by
SHA256 38063246fb1b21967dc05b8ce6bbce3fe0cb089d8735494ff2414213e6c8e1af

Comments