MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88ffe4c8afc9b30ad07bf5161593a0a19c3737ba8c5eb49353a2470ecd811b15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88ffe4c8afc9b30ad07bf5161593a0a19c3737ba8c5eb49353a2470ecd811b15
SHA3-384 hash: 6778f9a6880fb01750e2f6a04ccddd784fc988a9d5bbbe0162c93c3293041f37e44108a5789314a9052d6e132bb62d93
SHA1 hash: 2ea1786549f7c313b791cb30b90fa9fb3eb26906
MD5 hash: 37063e625b091bac29e183106124c1d8
humanhash: mars-south-stairway-wyoming
File name:ORDER#4500121785_PO_PRODUCTS_PlG_Trading Services _Co.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:784'384 bytes
First seen:2020-10-19 06:27:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0YWpZJIJlcNqt8dx1cbi8za9eNaO/cutbW80pdMFJ+aNxpX4E51F7DbnK:0hUTcNqt8dfcPO9Q4DMFJ+8xpX4uXG
Threatray 10'590 similar samples on MalwareBazaar
TLSH 80F4E145FA40C404DC3D5BB0E46E8DF41367BD66E974A25F2E88BE363BF31E21926249
Reporter abuse_ch
Tags:exe NanoCore


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.huincacoop.com.ar
Sending IP: 200.29.255.6
From: PHAN NGỌC HỒNG <purchase.phuoc.nguyen@plg-tts.com.vn>
Subject: Order 4500121785
Attachment: ORDER4500121785_PO_PRODUCTS_PlG_Trading Services _Co.arj (contains "ORDER#4500121785_PO_PRODUCTS_PlG_Trading Services _Co.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72720/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Launching a process
Unauthorized injection to a recently created process
Result
Threat name:
Nanocore AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494885
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299901 Sample: ORDER#4500121785_PO_PRODUCT... Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Sigma detected: Capture Wi-Fi password 2->76 78 12 other signatures 2->78 9 ORDER#4500121785_PO_PRODUCTS_PlG_Trading Services _Co.exe 6 2->9         started        13 RegAsm.exe 2->13         started        15 dhcpmon.exe 2->15         started        17 3 other processes 2->17 process3 file4 54 C:\Users\user\AppData\Roaming\...\Xehfo.exe, PE32 9->54 dropped 56 ORDER#4500121785_P...ervices _Co.exe.log, ASCII 9->56 dropped 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->86 19 Xehfo.exe 1 5 9->19         started        23 conhost.exe 13->23         started        25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        signatures5 process6 file7 52 C:\Users\user\AppData\Roaming\samyy3.exe, PE32 19->52 dropped 80 Multi AV Scanner detection for dropped file 19->80 82 Machine Learning detection for dropped file 19->82 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->84 29 samyy3.exe 9 19->29         started        34 RegAsm.exe 19->34         started        36 RegAsm.exe 19->36         started        38 RegAsm.exe 19->38         started        signatures8 process9 dnsIp10 66 smtp.homecares-tw.com 29->66 68 us2.smtp.mailhostbox.com 208.91.199.224, 49761, 49762, 587 PUBLIC-DOMAIN-REGISTRYUS United States 29->68 58 C:\Windows\System32\drivers\etc\hosts, ASCII 29->58 dropped 88 Antivirus detection for dropped file 29->88 90 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->90 92 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 29->92 96 7 other signatures 29->96 40 netsh.exe 29->40         started        70 185.140.53.221, 4488, 49757, 49758 DAVID_CRAIGGG Sweden 34->70 60 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 34->60 dropped 62 C:\Users\user\AppData\Local\...\tmp99B4.tmp, XML 34->62 dropped 64 C:\Program Files (x86)\...\dhcpmon.exe, PE32 34->64 dropped 94 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->94 42 schtasks.exe 34->42         started        44 schtasks.exe 34->44         started        file11 signatures12 process13 process14 46 conhost.exe 40->46         started        48 conhost.exe 42->48         started        50 conhost.exe 44->50         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/88ffe4c8afc9b30ad07bf5161593a0a19c3737ba8c5eb49353a2470ecd811b15/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 00:15:56 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rd76jsfpzgzqvud36ulble5augodon52rrplje2tujdq5tmbdmkq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
29dbd904452edf79122808dfb4810fcf8d089b8e298f68d48497c4b82ebcb1b1
NanoCore
38814f6587d098be00d461dae2dfeb01b50e2a697d86bfc02e334024133bfed8
NanoCore
5adb192079fbc16f4631d3e5c894d9bec1ed384e7be85742c4f076760eb64a0f
NanoCore
5fb13ec9aec5b17f482da9aa1b4843d58721d0c99090e9f6cb3a88940666cc61
NanoCore
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
NanoCore
b8f3cbf0a0b70cb4b78ca6c7506b17b63cca1de782a1897dfba2bd8156303283
NanoCore
c1c841ab92fcc7f486280ba17d8e08dfd8626c2b7adad80bc83bd27794dde5e6
NanoCore
c560dadc5a125a4c74dda79e22d40279f7883a0d961eb39b9095119d3196baaa
NanoCore
fd54073286010523ef59ce428c3ae8b92f87abce1027ed232befe46499bf5e53
NanoCore
ff0b197ef34800ad007a5caedaf485af5ae523343ce8ec106d3a253d2c0a4a35
NanoCore
+ 10'580 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla family:nanocore persistence
Link:
https://tria.ge/reports/201019-q4xqhqheze/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Executes dropped EXE
AgentTesla Payload
ServiceHost packer
AgentTesla
NanoCore
Malware Config
C2 Extraction:
185.140.53.221:4488
Unpacked files
SH256 hash:
88ffe4c8afc9b30ad07bf5161593a0a19c3737ba8c5eb49353a2470ecd811b15
MD5 hash:
37063e625b091bac29e183106124c1d8
SHA1 hash:
2ea1786549f7c313b791cb30b90fa9fb3eb26906
Link:
https://www.unpac.me/results/e1c4decb-4617-4993-9a5c-fd8a0b8e4091/
SH256 hash:
f639be36bc66c00b52163e746ad1f07d004308e5c786e5ce4db3bf1d62470d9d
MD5 hash:
e959577cf4ee4f988bbaaea81ffa4030
SHA1 hash:
2faa9c90fb666f6cc4253255e27024c25724100d
Link:
https://www.unpac.me/results/e1c4decb-4617-4993-9a5c-fd8a0b8e4091/
SH256 hash:
e43bb5ea91b8babd2ce1c921521c9b66e855fd7abc12a889086d11013fead5d8
MD5 hash:
a263de818585061931058e70d17bab24
SHA1 hash:
844e95c4c2a7a3a8408ec9afaec08fb3b3527f50
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/e1c4decb-4617-4993-9a5c-fd8a0b8e4091/
SH256 hash:
a84c578a894cb09e71ab5c95a40aa77cd2c32dd9682029448b48706a10c048e4
MD5 hash:
aafef776ce56d42ce8af4573d6623db1
SHA1 hash:
b1ff2d64f19f8644c93e0d483897ed5bea323ec1
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/e1c4decb-4617-4993-9a5c-fd8a0b8e4091/
Parent samples :
88ffe4c8afc9b30ad07bf5161593a0a19c3737ba8c5eb49353a2470ecd811b15
933eeba2969c95d0a0a4511fb7e8a23ce3254583f7b2da7b01e22338e10c3210
0e73be8ac2af541adec894525a9fa34edb5e269951d60f72c91d2b4f3f320a3a
ce76fc43c1ae2fc7d499a24d0d93b8ffae25e9d3ef6d6c8086e54ffd0d29ff31
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88ffe4c8afc9b30ad07bf5161593a0a19c3737ba8c5eb49353a2470ecd811b15

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj 032245134af231bfb273709f52ad635df9b86fd859ea9d7610e97a07725372dc

NanoCore

Executable exe 88ffe4c8afc9b30ad07bf5161593a0a19c3737ba8c5eb49353a2470ecd811b15

(this sample)

  
Dropped by
MD5 3fa7540e345f9f76db5d5a5ab62169ac
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 032245134af231bfb273709f52ad635df9b86fd859ea9d7610e97a07725372dc
Cape
Cape
https://www.capesandbox.com/analysis/72720/

Comments