MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1e66473cfdd393d62a203c1f16190106881f1fe6a671081e232f6ec1ab191fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1e66473cfdd393d62a203c1f16190106881f1fe6a671081e232f6ec1ab191fa
SHA3-384 hash: 58078417f5e531e24b8d82528165bcc3d696256d3dad046b718014e5ee7a0512e0ac2fe3e1f0d1bee14b3659c62867b0
SHA1 hash: 13189fb04bec2d3c8756002508f88c56befba45c
MD5 hash: 407f87b0adf2f788bb357e6ca02c9244
humanhash: fish-batman-lion-artist
File name:Purchase Order..exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:246'272 bytes
First seen:2020-10-28 06:54:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:cepgdLtehyTYyJ+0OKjV1j0UjwboN/nIh5GVru8NL5/YlqeABF9zY1y/C+CVM:c7FtlkwGKjLEbQo5GxLxYlcfYI3CVM
TLSH 0A34C73D970EDF78F52975B800066041C292F6D26B66F11EAF92BC388DF368D09D6B91
Reporter cocaman
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/80289/
Detection(s):
SecuriteInfo.com.Artemis407F87B0ADF2.2731.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Setting a keyboard event handler
Launching a process
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Enabling autorun
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/514545
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an undocumented autostart registry key
Detected Remcos RAT
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 306388 Sample: Purchase Order..exe Startdate: 28/10/2020 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 9 other signatures 2->51 7 Purchase Order..exe 11 2->7         started        process3 file4 37 C:\Users\user\AppData\Roaming\tmp.exe, PE32 7->37 dropped 39 C:\Users\user\AppData\...\name.exe.bat, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 7->41 dropped 55 Writes to foreign memory regions 7->55 57 Allocates memory in foreign processes 7->57 59 Injects a PE file into a foreign processes 7->59 11 tmp.exe 1 2 7->11         started        15 svhost.exe 7->15         started        17 cmd.exe 1 7->17         started        19 4 other processes 7->19 signatures5 process6 dnsIp7 43 79.134.225.50, 42025, 49711, 49713 FINK-TELECOM-SERVICESCH Switzerland 11->43 61 Antivirus detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 65 Contains functionality to detect virtual machines (IN, VMware) 11->65 73 2 other signatures 11->73 67 Contains functionality to steal Chrome passwords or cookies 15->67 69 Contains functionality to capture and log keystrokes 15->69 71 Contains functionality to steal Firefox passwords or cookies 15->71 22 reg.exe 1 1 17->22         started        25 conhost.exe 17->25         started        35 C:\Users\user\AppData\Roaming\...\name.exe, PE32 19->35 dropped 27 conhost.exe 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 19->31         started        33 2 other processes 19->33 file8 signatures9 process10 signatures11 53 Creates an undocumented autostart registry key 22->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1e66473cfdd393d62a203c1f16190106881f1fe6a671081e232f6ec1ab191fa/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-10-28 06:09:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uhtgi46p3u4t2yvcapa7cymqcbuid4p6njtrbapcgl3oygvrsh5a._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/201028-6c6ejhr3ee/
Behaviour
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
79.134.225.50:42025
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1e66473cfdd393d62a203c1f16190106881f1fe6a671081e232f6ec1ab191fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z ed353b60a40e752c840bf5cc805b7ece7bce448a736ddcf1ad89a69825533bf2

NanoCore

Executable exe a1e66473cfdd393d62a203c1f16190106881f1fe6a671081e232f6ec1ab191fa

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ed353b60a40e752c840bf5cc805b7ece7bce448a736ddcf1ad89a69825533bf2
Cape
Cape
https://www.capesandbox.com/analysis/80289/

Comments