MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c
SHA3-384 hash: 5f3520842d83ca3affeb53a910c721830b3238672884bc12ae748e477cd0004e32a6a71faa6cab347a3253c378c5448a
SHA1 hash: 86100dc4042fad3609e8eff175e1409f1b899eb2
MD5 hash: c7940438819a62c9dd82d206ca4db81f
humanhash: ten-william-lactose-lake
File name:Swift Copy.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:502'272 bytes
First seen:2020-10-14 15:15:52 UTC
Last seen:2020-10-14 18:42:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:J+USl9kkHdgkPGUJNFxVPbp5/id8jMZuYvjXPpg8oiG4cE8bSRw/GgRQWQ:JRSckHxZJNztSZ3vjXGUXj5czQ
Threatray 2'447 similar samples on MalwareBazaar
TLSH 60B47D6D770ADFB8D11B6A714003F1B30117FDD59A52A51A3BC13C9BAAB2A4E0DC6F81
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: ultimatecircle.com.my
Sending IP: 95.211.208.23
From: sales@ultimatecircle.com.my
Subject: RE: PAYMENT INSTRUCTIONS
Attachment: Swift Copy.zip (contains "Swift Copy.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70863/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.37649.31764.17844.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Enabling autorun
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491248
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298153 Sample: Swift Copy.exe Startdate: 14/10/2020 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 6 other signatures 2->55 9 Swift Copy.exe 7 2->9         started        process3 file4 43 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 9->43 dropped 45 C:\Users\user\AppData\...\Swift Copy.exe.log, ASCII 9->45 dropped 47 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 9->47 dropped 61 Injects a PE file into a foreign processes 9->61 13 Swift Copy.exe 9->13         started        16 cmd.exe 1 9->16         started        18 cmd.exe 3 9->18         started        21 cmd.exe 1 9->21         started        signatures5 process6 file7 63 Modifies the context of a thread in another process (thread injection) 13->63 65 Maps a DLL or memory area into another process 13->65 67 Sample uses process hollowing technique 13->67 69 Queues an APC in another process (thread injection) 13->69 23 explorer.exe 13->23 injected 25 reg.exe 1 1 16->25         started        28 conhost.exe 16->28         started        39 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 18->39 dropped 30 conhost.exe 18->30         started        41 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 21->41 dropped 32 conhost.exe 21->32         started        signatures8 process9 signatures10 34 explorer.exe 23->34         started        59 Creates an undocumented autostart registry key 25->59 process11 signatures12 57 Tries to detect virtualization through RDTSC time measurements 34->57 37 cmd.exe 34->37         started        process13
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 12:45:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
44
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rtrgzqx3el7d3cox6s6z5kjf6byz76jarnhdpmpxdoou5ailzqga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
48fb5ca3a7323643cd3cab475e1e7615bf619ef568c2673f7e61e128d263a114
NanoCore
9b9d8f51a8cf586b0380629f644676e0dce350466b06224523e01db393522339
NanoCore
ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3
NanoCore
c611c4446e4604531e8e096508422fd01b23d26c424f9625d049e7edaf4f566a
NanoCore
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
NanoCore
cb9826fb54d83c293531c905827920511bd9d7b259da01ac1e593d9d10aec334
NanoCore
d4014ac2689b47f11708425cad3d8aa02dd05ee6d6745006156dffbe0a27b4be
NanoCore
db53a27c43dddb419e9d058e6288f3c1e7fc7e4bd62e3bb048e7103dcf79d682
NanoCore
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
NanoCore
f4854fb409d136b74193144c50c888b36bbbbcde71b52acb5f8177a862ebd76c
NanoCore
+ 2'437 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201014-q2vpaeflke/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.purebodyrecovery.com/rhk/
Unpacked files
SH256 hash:
8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c
MD5 hash:
c7940438819a62c9dd82d206ca4db81f
SHA1 hash:
86100dc4042fad3609e8eff175e1409f1b899eb2
Link:
https://www.unpac.me/results/913654a2-e06b-470f-8f00-d16f00db9bf9/
SH256 hash:
00fbae02cdcd2438dbc3a8758e8e5dcc8bb86b26162c6b23c1edae3f0ccc918f
MD5 hash:
3c5e36539ea6b6ea02774b082f151ac6
SHA1 hash:
b0ed5a1f3bb540f8c5a08ec5909ec5f1fa59fcf5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/913654a2-e06b-470f-8f00-d16f00db9bf9/
Parent samples :
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3
48fb5ca3a7323643cd3cab475e1e7615bf619ef568c2673f7e61e128d263a114
cb9826fb54d83c293531c905827920511bd9d7b259da01ac1e593d9d10aec334
8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip b00bccfeeec06e55a8b19c1b47de603b0baedc9586401a38bf57048977522baf

NanoCore

Executable exe 8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c

(this sample)

  
Dropped by
MD5 61e201badce314e5ac74f2f27acb88d4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70863/
  
Dropped by
SHA256 b00bccfeeec06e55a8b19c1b47de603b0baedc9586401a38bf57048977522baf

Comments