MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 865ace0d8291b403d80bcf26ebbc0adc9b108879fc6df41ea82be1c2c54ad17c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 865ace0d8291b403d80bcf26ebbc0adc9b108879fc6df41ea82be1c2c54ad17c
SHA3-384 hash: 7af54819abe5395cadb4dd4065f65e07b883a78111537b1a066a04a3d9672cb34f28e2feb50aa95d53d7849c28c908ea
SHA1 hash: 2720547741c774f663d5f7ad2064b9af5fd36d2e
MD5 hash: 6a7501cd18460d0915d3c9c1b171652f
humanhash: robin-robin-alabama-mango
File name:paymentslip.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'806'136 bytes
First seen:2020-10-26 14:34:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:q2Ibu9kXLVdabfZ9eygHpdDRSxhG3hOoOHTRAsnu5Po51UbJ0VlWQ0iOkXM+eDE:KX5dabfvwDkxhG3hOo+dnUoHlVjOa6DE
Threatray 204 similar samples on MalwareBazaar
TLSH D785027DB79DFF70E5256EBC001158960123FED22EB2F11AAF9479188EB39C90987B41
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: usskm13.hostsila.org
Sending IP: 216.155.147.117
From: BDO <office@exotictour.az>
Reply-To: BDO <orozcobryan409@yahoo.com>
Subject: Bank deposit slip for your confirmation
Attachment: bdo_bank_payment_slip.rar (contains "paymentslip.exe")

NanoCore C2:
favor.testfood.ml:49617 (31.220.4.216)

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79183/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a window
Setting a global event handler
DNS request
Creating a file
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Connection attempt to an infection source
Enabling autorun
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/511993
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 305173 Sample: paymentslip.exe Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 44 favor.testfood.ml 2->44 50 Antivirus detection for dropped file 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 5 other signatures 2->56 8 paymentslip.exe 10 2->8         started        signatures3 process4 file5 40 C:\Users\user\AppData\...\name.exe.bat, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 8->42 dropped 60 Writes to foreign memory regions 8->60 62 Allocates memory in foreign processes 8->62 64 Injects a PE file into a foreign processes 8->64 12 svhost.exe 1 8->12         started        16 cmd.exe 1 8->16         started        18 cmd.exe 3 8->18         started        21 3 other processes 8->21 signatures6 process7 dnsIp8 46 favor.testfood.ml 31.220.4.216, 49617 HOSTHATCHUS Germany 12->46 48 192.168.2.1 unknown unknown 12->48 66 Tries to detect virtualization through RDTSC time measurements 12->66 68 Hides threads from debuggers 12->68 70 Contains functionality to hide a thread from the debugger 12->70 23 reg.exe 1 1 16->23         started        26 conhost.exe 16->26         started        38 C:\Users\user\AppData\Roaming\...\name.exe, PE32 18->38 dropped 28 conhost.exe 18->28         started        30 conhost.exe 21->30         started        32 conhost.exe 21->32         started        34 conhost.exe 21->34         started        36 timeout.exe 1 21->36         started        file9 signatures10 process11 signatures12 58 Creates an undocumented autostart registry key 23->58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/865ace0d8291b403d80bcf26ebbc0adc9b108879fc6df41ea82be1c2c54ad17c/
Threat name:
ByteCode-MSIL.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 06:13:22 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qznm4dmcsg2ahwalz4toxpak3snrbcdz7rw7ihvifpq4frkk2f6a._file
Verdict:
unknown
Similar samples:
1167a7d5a6192107c841eee3d1292914e2ddbe6b661f2c2c41f1c1977ac97372
NanoCore
35975410919029f5c15ea420be97c10c327b94a2aa9e9b044e15660aede8c509
NanoCore
3b2ea32978b65edcc7308a2860e788b7631ecdde10e72b689268f3fdffdaeb4f
NanoCore
5354b3a337fe1f19dbbcd98ebbea35e58fd953c86b99cb1678d8f9c849e8d55c
NanoCore
78be18a8bdab5baf14aa5c195ce9f5636750cd4fee2d3bbc3528f4ed8f9ad9ee
NanoCore
7f58f70a483138bf0d7c25357b8dd87d6aa94f080cdd24333be6dd51390e45b2
NanoCore
8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c
NanoCore
ab43f4e6ffd099d03057feefa2e8371637e4dc1e7aed8486a4aa9f5f5e194ee4
NanoCore
b7d55f5145ac91a9b2e9d1b98f65bf6844248ebd6612be241e2fe5755dcf0733
NanoCore
fe2f20398cff7bea0e10e10940e0936e2525ba8dba51263387f1b1d82d8b1aea
NanoCore
+ 194 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/201026-2rmb3ze9wj/
Behaviour
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:upx_packed
Create hunting rule
Description:UPX packed file
Rule name:win_bit_rat_w0
Create hunting rule
Author:KrabsOnSecurity
Description:String-based rule for detecting BitRAT malware payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 4a03e19e4fc6c581ac1d2aac5a5767fc375b5013c21ffdd3de575fe70e229c09

NanoCore

Executable exe 865ace0d8291b403d80bcf26ebbc0adc9b108879fc6df41ea82be1c2c54ad17c

(this sample)

  
Dropped by
MD5 922fbdad8e0404f0e742a0064e430019
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4a03e19e4fc6c581ac1d2aac5a5767fc375b5013c21ffdd3de575fe70e229c09
Cape
Cape
https://www.capesandbox.com/analysis/79183/

Comments