MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8065cd13f47664398c8c02165ca41f9c7f8f823e018f2773e947d63c8ba4bc2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8065cd13f47664398c8c02165ca41f9c7f8f823e018f2773e947d63c8ba4bc2b
SHA3-384 hash: 3cc40fd01eaea9d20ed8f842ad70603ed8c7074acb0449c01d63e807c3ab27878be309e0c4bd8d5c69d09b065661516d
SHA1 hash: 0842a47f067121ff811ee7dd00bc167906738909
MD5 hash: bfcc207a11b00be050cd343c29610cdf
humanhash: two-kansas-music-yankee
File name:Y5s7x6c4d_Invoice_receipt.vbs
Download: download sample
Signature NanoCore
Create hunting rule
File size:731 bytes
First seen:2021-08-11 19:46:50 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:dXVlTX7Fl9kQOGv9IXeNccMf+8irXWMMeRo8N5zliwqhP/jvVlg7:Tl7FeG9geNVXLMeyMgV67
Threatray 2'515 similar samples on MalwareBazaar
TLSH T141016800B901F1E38106F387DDF11279A6F7B2A48891E590206C829F00BB8AE2E83E40
Reporter abuse_ch
Tags:NanoCore vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
333
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178375/
Detection(s):
SecuriteInfo.com.VBS.Agent.VRQtr.29044.32089.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/831221
Signature
Creates an undocumented autostart registry key
Obfuscated command line found
Sigma detected: Suspicious PowerShell Command Line
VBScript performs obfuscated calls to suspicious functions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8065cd13f47664398c8c02165ca41f9c7f8f823e018f2773e947d63c8ba4bc2b/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 19:47:05 UTC
AV detection:
3 of 47 (6.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbs42e7uozsdtdemailfzja7tr7y7ar6aghso47ji7ldzc5exqvq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
116aa7bc57d59020e469c51acb832bfb44fa109a65155e9749506168860f6e06
NanoCore
305bf6557bcc3df14cf33993d14e03fa84a6bd7611a990402fae4522ff098454
NanoCore
3d8811d64e17d5ea06d0edae6163b90b2400d06d9afa60ae689d6fe9232bca86
NanoCore
4d01d1b24f4f7487669486becc7ff8b43a126f56ffb3d8fcce8c66b200412475
NanoCore
4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9
NanoCore
62820764aa07d5d7aa0cd0f3f6decc6aa576fcd411e7561646151aa77d765174
NanoCore
9f96527c9f839559485e89c5c5ff8f95708035fd55c9fac0c2edf3764224d860
NanoCore
a276b0d2aaf8a132ffbe9ae16763975bcf38fc1e5a6419890712fc3de02b793f
NanoCore
c3ddf55e53888193522a7b619370b746cb0a79502c5157a98754a9009f644a11
NanoCore
+ 2'505 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/210811-49axk77tna/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Blocklisted process makes network request
NanoCore
suricata: ET MALWARE DTLoader Binary Request M2
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
augcavite.duckdns.org:3500
Dropper Extraction:
https://transfer.sh/1fWuoMe/bypass.txt
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8065cd13f476/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8065cd13f47664398c8c02165ca41f9c7f8f823e018f2773e947d63c8ba4bc2b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Visual Basic Script (vbs) vbs 8065cd13f47664398c8c02165ca41f9c7f8f823e018f2773e947d63c8ba4bc2b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/178375/

Comments