MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d0d2500dfd003f6c3d097613fa435fdeb0607350856af9b24cb58c87acb2954. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d0d2500dfd003f6c3d097613fa435fdeb0607350856af9b24cb58c87acb2954
SHA3-384 hash: 8f1a675ba5e19a632e4ea47a74c7b01223edeafbcec28702a57de43fbe97d05ff679afa8a9b134f7dcf5722c77c03f00
SHA1 hash: 12509fc8374810bb3daf7d9941917739738f1dad
MD5 hash: dd40123134e1ce102425e514d5b88f50
humanhash: hotel-queen-quebec-princess
File name:Shipping Docs.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:649'216 bytes
First seen:2022-02-01 19:15:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:pnD5LoD4hj086j1lml5FD+0Igt7oH5oxb0CMzw:dD50DWjp6j1lmln3IyF4zw
Threatray 8'046 similar samples on MalwareBazaar
TLSH T1BFD4BE1763D80FD5D878BBFB0259A64023E4F1DF6331FB2B6A99422845136C66E5E30B
Reporter Anonymous
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/229311/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38828359.31848.16392.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Running batch commands
Creating a file in the %temp% directory
Launching a process
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/61f9870e6d25ac9e79f75642/reports/7bc3f094-a8d0-434e-baac-fa252cd17581/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffa19203-61bc-4314-b247-34eae7b1176e
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/932007
Signature
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 564490 Sample: Shipping Docs.exe Startdate: 01/02/2022 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 7 other signatures 2->49 7 Shipping Docs.exe 5 2->7         started        process3 file4 31 C:\Users\user\...\Shipping Docs.exe.log, ASCII 7->31 dropped 33 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->33 dropped 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->51 11 cmd.exe 1 7->11         started        14 cmd.exe 3 7->14         started        signatures5 process6 file7 53 Uses ping.exe to sleep 11->53 55 Uses ping.exe to check the status of other devices and networks 11->55 17 reg.exe 1 1 11->17         started        20 PING.EXE 1 11->20         started        23 conhost.exe 11->23         started        35 C:\Users\user\AppData\Roaming\A\A.exe, PE32 14->35 dropped 37 C:\Users\user\...\A.exe:Zone.Identifier, ASCII 14->37 dropped 25 conhost.exe 14->25         started        27 PING.EXE 1 14->27         started        29 PING.EXE 1 14->29         started        signatures8 process9 dnsIp10 41 Creates autostart registry keys with suspicious names 17->41 39 127.0.0.1 unknown unknown 20->39 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d0d2500dfd003f6c3d097613fa435fdeb0607350856af9b24cb58c87acb2954/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-31 17:40:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
74
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
1c048355497ad9461aa8c36b0a16783e459f2e11491bf4fdc6221545a9ae93e7
NanoCore
1f7898921d0e7323307f8ae4e880df41224100be6857233dfd4ad9d90ef74fc0
NanoCore
4f7da7d6fb331a8098d4ce354690ffc64d8f0225307b406e722548109e669d4d
NanoCore
525b7d66ed7032178d6fed1686560143655af76f12c8b344f03f09632a4287d7
NanoCore
61004944921826aa2cdf48c60720daa7e45a6694606ce82e62ea38c655856c0f
NanoCore
8bf0518cd0c607aa51073dfe422f6af43ab8b43523bd0c182cc6172c9ecb9072
NanoCore
8de953938b8fb2d222892012da5758cefe50de064f61416c2bc2c6e6f019352c
NanoCore
+ 8'036 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220201-xytedsbag7/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
373ecebfcd740da14d1fa114a15b08af91f4e2a524e1317af07e952c904890f0
MD5 hash:
7d640ef18f4fbb737fdbec6885bb1682
SHA1 hash:
a7197370dd3372c66d2da9b3f851c2801e705b43
Link:
https://www.unpac.me/results/fd3d768c-5add-4a9a-b624-1e6aece407cd/
SH256 hash:
073a5df9fd5981e264d6727ddb5bed71cb787c29edc18ebc11f28d3077287d53
MD5 hash:
1b206ab2feb0ad527be014f8fc1ee917
SHA1 hash:
4f64c81e38bf8cad8ca15e35abd857ae3bb1fc83
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/fd3d768c-5add-4a9a-b624-1e6aece407cd/
SH256 hash:
e036660b56e1439cf1706f557444222038a1da26190dffe5c27e9ea006cd1708
MD5 hash:
4d1b753a65eda9b108806b70e17f85d0
SHA1 hash:
4018fd3cb7f05868618be82c7498028dd79aab75
Link:
https://www.unpac.me/results/fd3d768c-5add-4a9a-b624-1e6aece407cd/
SH256 hash:
8d0d2500dfd003f6c3d097613fa435fdeb0607350856af9b24cb58c87acb2954
MD5 hash:
dd40123134e1ce102425e514d5b88f50
SHA1 hash:
12509fc8374810bb3daf7d9941917739738f1dad
Link:
https://www.unpac.me/results/fd3d768c-5add-4a9a-b624-1e6aece407cd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d0d2500dfd003f6c3d097613fa435fdeb0607350856af9b24cb58c87acb2954

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/229311/

Comments