MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab43f4e6ffd099d03057feefa2e8371637e4dc1e7aed8486a4aa9f5f5e194ee4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab43f4e6ffd099d03057feefa2e8371637e4dc1e7aed8486a4aa9f5f5e194ee4
SHA3-384 hash: 4a1bc56b9f7f5b5112689a2ee0dd072bfa87f003d56b16d341e23db2360146d92e09ecadc286387f2a5b0a0448358bd5
SHA1 hash: 7c5572f72b3949c683d2a293236eff54c75667f4
MD5 hash: cfda115be2934c27e215001e62ca4ba0
humanhash: nineteen-butter-mars-cat
File name:PO_93029.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'164'800 bytes
First seen:2020-10-13 17:46:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:86u+/0tNNuN6nYBBxVFMc85WxF/5jIIeC5iZc7ff9TYQ08qSkI/W6Y+ltrgWOHh5:wZjoxVKc+UF/guffZpZ1WulBg9gcRj
Threatray 1 similar samples on MalwareBazaar
TLSH 0C4538B853277BF2D0196B7348E914A20A33EC9B3D737906A731BB7F8929C4B09D1552
Reporter abuse_ch
Tags:exe NanoCore Rackspace RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: smtp77.iad3a.emailsrvr.com
Sending IP: 173.203.187.77
From: info@brightcenter.org
Subject: PurOrder
Attachment: PO_93029.zip (contains "PO_93029.exe")

NanoCore RAT C2:
zoomvision.xyz:4090 (193.142.59.106)

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.MulDrop14.2847.12002.3523.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Enabling autorun
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/490154
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 297530 Sample: PO_93029.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 56 zoomvision.xyz 2->56 66 Multi AV Scanner detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Machine Learning detection for sample 2->70 72 3 other signatures 2->72 9 PO_93029.exe 8 2->9         started        13 utilmansvr.exe 2->13         started        signatures3 process4 file5 42 C:\Users\user\AppData\Local\Temp\tmp.exe, PE32+ 9->42 dropped 44 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 9->44 dropped 46 C:\Users\user\AppData\...\PO_93029.exe.log, ASCII 9->46 dropped 48 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 9->48 dropped 88 Injects a PE file into a foreign processes 9->88 15 tmp.exe 3 9->15         started        19 cmd.exe 1 9->19         started        21 cmd.exe 3 9->21         started        23 8 other processes 9->23 signatures6 process7 file8 50 C:\ProgramData\utilmansvr\utilmansvr.exe, PE32+ 15->50 dropped 62 Machine Learning detection for dropped file 15->62 64 Contains functionality to inject code into remote processes 15->64 25 utilmansvr.exe 5 15->25         started        28 reg.exe 1 1 19->28         started        30 conhost.exe 19->30         started        52 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 21->52 dropped 32 conhost.exe 21->32         started        54 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 23->54 dropped 34 conhost.exe 23->34         started        signatures9 process10 signatures11 78 Machine Learning detection for dropped file 25->78 80 Injects code into the Windows Explorer (explorer.exe) 25->80 82 Writes to foreign memory regions 25->82 86 2 other signatures 25->86 36 explorer.exe 25->36         started        40 svchost.exe 1 25->40         started        84 Creates an undocumented autostart registry key 28->84 process12 dnsIp13 58 192.168.2.1 unknown unknown 36->58 74 System process connects to network (likely due to code injection or exploit) 36->74 60 zoomvision.xyz 193.142.59.106, 4090 HOSTSLICK-GERMANYNL Netherlands 40->60 76 Creates autostart registry keys with suspicious names 40->76 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab43f4e6ffd099d03057feefa2e8371637e4dc1e7aed8486a4aa9f5f5e194ee4/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 14:56:18 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnb7jzx72cm5amcx73x2f2bxcy36jxa6plwyjbvevkpv6xqzj3sa._file
Verdict:
suspicious
Similar samples:
78be18a8bdab5baf14aa5c195ce9f5636750cd4fee2d3bbc3528f4ed8f9ad9ee
NanoCore
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201013-e8fzh6srrs/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
ab43f4e6ffd099d03057feefa2e8371637e4dc1e7aed8486a4aa9f5f5e194ee4
MD5 hash:
cfda115be2934c27e215001e62ca4ba0
SHA1 hash:
7c5572f72b3949c683d2a293236eff54c75667f4
Link:
https://www.unpac.me/results/336a223a-77f8-49a4-8188-d1fc190f6eac/
SH256 hash:
248714f7c01258560d7fc93bb563c958634aee6554c093a7b4be261f128f8005
MD5 hash:
8ebc736b9e64d04805aab0912de2f059
SHA1 hash:
f07297ce225b401a3c7b14590659753d9e1fa3fc
Link:
https://www.unpac.me/results/336a223a-77f8-49a4-8188-d1fc190f6eac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab43f4e6ffd099d03057feefa2e8371637e4dc1e7aed8486a4aa9f5f5e194ee4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip f7cc72b1ea933e746798089350a35c1f109bf8d33f12dd94c402fee986cb3ac6

NanoCore

Executable exe ab43f4e6ffd099d03057feefa2e8371637e4dc1e7aed8486a4aa9f5f5e194ee4

(this sample)

  
Dropped by
MD5 c9bce95c96d59c8fc993745ad085f24c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70574/
  
Dropped by
SHA256 f7cc72b1ea933e746798089350a35c1f109bf8d33f12dd94c402fee986cb3ac6

Comments