MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a7f3b43db0c90726177dc2825f23869cb9c73da6dcd1497141b56fac54635cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a7f3b43db0c90726177dc2825f23869cb9c73da6dcd1497141b56fac54635cf
SHA3-384 hash: e3bb295cf664c3287ae69b8929bed8c1441b51982cf2828209de01d4b0411c8ad3861ee2687519855841232a5a282a2c
SHA1 hash: 701651078f6c12ad2adad151b935dbd0781ce6cb
MD5 hash: 2957df84acb0ef15db1deca20a604420
humanhash: red-indigo-texas-ten
File name:2957df84acb0ef15db1deca20a604420
Download: download sample
Signature NanoCore
Create hunting rule
File size:40'448 bytes
First seen:2022-02-28 13:21:56 UTC
Last seen:2022-02-28 14:43:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:ckVHdxM9gjm0ae5srmYCzOIrzhhJicQD:FHdDj5aeom3C8zhhJ+
Threatray 14'155 similar samples on MalwareBazaar
TLSH T1E003601ABD788120C61DCB3BCB5390F50231AF61AC92D50F68CB7F0E79F2B969964635
File icon (PE):PE icon
dhash icon 27f0d8d4d4d8f027 (16 x AgentTesla, 6 x NanoCore, 5 x DarkCloud)
Reporter zbetcheckin
Tags:32 exe NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/245351/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.GRR.genEldorado.17017.7198.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware obfuscated packed shell32.dll update.exe
Link:
https://www.filescan.io/uploads/621ccc82b94fb38cb424a498/reports/5f009ea5-6273-4522-a848-6ead646638e6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc21bbbb-6396-4e79-aadc-2ed4008dad89
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/947402
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 579888 Sample: A8SYWehCWH Startdate: 28/02/2022 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 5 other signatures 2->48 8 A8SYWehCWH.exe 16 8 2->8         started        process3 dnsIp4 36 172.217.168.14 GOOGLEUS United States 8->36 38 8.8.8.8 GOOGLEUS United States 8->38 40 13.231.238.12 AMAZON-02US United States 8->40 26 C:\Users\user\AppData\Roaming\...\updete.exe, PE32 8->26 dropped 28 C:\Users\user\...\updete.exe:Zone.Identifier, ASCII 8->28 dropped 30 C:\Users\user\AppData\...\A8SYWehCWH.exe.log, ASCII 8->30 dropped 32 C:\Users\user\...\Jqvegxtbirdvppsx.exe, PE32 8->32 dropped 54 Tries to detect virtualization through RDTSC time measurements 8->54 13 A8SYWehCWH.exe 8->13         started        16 Jqvegxtbirdvppsx.exe 14 2 8->16         started        file5 signatures6 process7 signatures8 56 Modifies the context of a thread in another process (thread injection) 13->56 58 Maps a DLL or memory area into another process 13->58 60 Queues an APC in another process (thread injection) 13->60 18 explorer.exe 13->18 injected process9 process10 20 updete.exe 14 2 18->20         started        24 updete.exe 2 18->24         started        dnsIp11 34 192.168.2.1 unknown unknown 20->34 50 Multi AV Scanner detection for dropped file 20->50 52 Machine Learning detection for dropped file 20->52 signatures12
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8a7f3b43db0c90726177dc2825f23869cb9c73da6dcd1497141b56fac54635cf/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-02-28 13:22:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
22 of 28 (78.57%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3
NanoCore
2ed8aeaf73ee1a3caf7eb0be7814868c4100efbe1b021e2d964db3b638dc7f3c
NanoCore
4e11667f1b10d3afa5f8bc073581224342f0753bbd9cf6a3cc5e470e89e0c4e5
NanoCore
65810e62e56f9ca0aa57ead14fc57cd5a512b86bb52825421c8761530692a26d
NanoCore
92e4964a6f237d0ac0e881fbdb1ed93a46e78cead4894fbd9667a00a80b96da7
NanoCore
9ef59c316ef7c708193c4f92d61218a7ef39c6ab788f88853c2c374968037006
NanoCore
e9f3be0c409dfce073fc55ea97594b0ff18f7953e1793cb7aa8a7c0f87549ebb
NanoCore
fa4fe52b60d9da8ae735fe5ff04114abd194754fcd4ca94c0558ca7f6a3b3945
NanoCore
+ 14'145 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:nanocore campaign:d4n9 evasion keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220228-ql79fsecg4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
NanoCore
Malware Config
C2 Extraction:
2.56.56.96:111
Unpacked files
SH256 hash:
8a7f3b43db0c90726177dc2825f23869cb9c73da6dcd1497141b56fac54635cf
MD5 hash:
2957df84acb0ef15db1deca20a604420
SHA1 hash:
701651078f6c12ad2adad151b935dbd0781ce6cb
Link:
https://www.unpac.me/results/b6d8b94e-d58c-4775-9ac8-74043bb26a0f/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8a7f3b43db0c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/8a7f3b43db0c90726177dc2825f23869cb9c73da6dcd1497141b56fac54635cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Executable exe 8a7f3b43db0c90726177dc2825f23869cb9c73da6dcd1497141b56fac54635cf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2066476/
Cape
Cape
https://www.capesandbox.com/analysis/245351/

Comments


Avatar
zbet commented on 2022-02-28 13:21:58 UTC

url : hxxp://13.231.238.12/dart/IMG-0077520021.bat