MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d8af568b0657ff10c735bce816033ce6f844aed1879f94ab6e1fee8a8da3677. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d8af568b0657ff10c735bce816033ce6f844aed1879f94ab6e1fee8a8da3677
SHA3-384 hash: 3fde868a85c8c7c3e01d28c19681240e3827d2633594ec4e690c95c8437f0aff9ec32dcb5c975f72cee120947392f0db
SHA1 hash: 84bb3650430163978ef1918ba6edaee9a7705389
MD5 hash: 8e44eb8b76e7cfe54abc30226f76b61f
humanhash: speaker-winner-north-king
File name:INVOICE.vbs
Download: download sample
Signature NanoCore
Create hunting rule
File size:950 bytes
First seen:2021-08-19 08:12:42 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:uhutV6Q77N+kiuNounuAbZbGJA8kcXO2qvELJ7g3NnLd+KPj2T+TOM:uOV7NDiIpGScXO2qvEcNngKG+TOM
Threatray 3'736 similar samples on MalwareBazaar
TLSH T1BE11C0394CA58EBA0345D0B100878DCCDF20C7577B98FE391834B45A5D9CE399E8DA0B
Reporter abuse_ch
Tags:NanoCore vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180582/
Detection(s):
SecuriteInfo.com.ISB.Downloadergen76.6335.22007.UNOFFICIAL
Create hunting rule

Result
Verdict:
SUSPICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/835612
Signature
Creates an undocumented autostart registry key
Obfuscated command line found
Sigma detected: Suspicious PowerShell Command Line
VBScript performs obfuscated calls to suspicious functions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d8af568b0657ff10c735bce816033ce6f844aed1879f94ab6e1fee8a8da3677/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 08:13:18 UTC
AV detection:
2 of 46 (4.35%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=twfpk2fqmv77cddtlphicybtzzxyisxndb47ssvw4h7orkg2gz3q._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
nanocorerat
Create hunting rule
Similar samples:
414a79e6c87489cb73e9176e867d554788a28ba86cb4e00f3f8fed15400999bd
NanoCore
7e4bc5c98691dd99d7c856dc26110113c15d72fb5b8a73db75a9c9b2bee021e2
NanoCore
7f1cd16cd2d2e5644752a3e0fd411c3902bad47051779d5bd539e9650f53787c
NanoCore
89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f
NanoCore
a0710f6483cebd22f615c3435ee70a971d490f15c9529c3f2450e3cb73d35a16
NanoCore
d0b4b43432238e361c9f553caa05df5c34c462d55bb18a6db5e076faaaf05da9
NanoCore
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
NanoCore
+ 3'726 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210819-ncz4waqqss/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://transfer.sh/1kqpOIu/bypass.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d8af568b0657ff10c735bce816033ce6f844aed1879f94ab6e1fee8a8da3677

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PowerShell_Case_Anomaly
Create hunting rule
Author:Florian Roth
Description:Detects obfuscated PowerShell hacktools
Reference:https://twitter.com/danielhbohannon/status/905096106924761088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Visual Basic Script (vbs) vbs 9d8af568b0657ff10c735bce816033ce6f844aed1879f94ab6e1fee8a8da3677

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/180582/

Comments