MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adf3f47687c15c048c4c909e95c5c2c17187259832ebbab51b6a0b2c5e5f588e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: adf3f47687c15c048c4c909e95c5c2c17187259832ebbab51b6a0b2c5e5f588e
SHA3-384 hash: 4d7c6f3b6a51702eb74b71985f1f0d0c560c90d11b63a905f84f24fecbc26b7104ef3d63ae9bc71b5396fc6e33285e9e
SHA1 hash: 17689728c4692d160f0d9691acf9058ccd4973e4
MD5 hash: 217f5a5adc31909d03b0e16b40fc109f
humanhash: seven-nitrogen-nitrogen-maine
File name:CN-Invoice-XXXXX9808-19011143287989.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:906'240 bytes
First seen:2021-01-29 13:01:15 UTC
Last seen:2021-01-29 14:54:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:MHxyf2mwqwXBPpRJPlvIWO4IPjW7CncPzqjtZ7:MRyf2Os13BlDOVq7CdZ
Threatray 309 similar samples on MalwareBazaar
TLSH CD1549DE03F0004BD11856F3A895AFE41661ECFA7B21C6157E41FEDEAE313E244A65E2
Reporter Anonymous
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CN-Invoice-XXXXX9808-19011143287989.exe
Verdict:
Malicious activity
Analysis date:
2021-01-29 13:02:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c69e91db-f457-482f-9413-4dd5bf95f1db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114735/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Sending a UDP request
Enabling autorun
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/593919
Signature
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/adf3f47687c15c048c4c909e95c5c2c17187259832ebbab51b6a0b2c5e5f588e/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-01-29 02:07:53 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxz7i5uhyfoajdcmscpjlrocyfyyojmyglv3vni3nifsyxs7lcha._file
Verdict:
suspicious
Similar samples:
1cf9635133972859e226ccff6a787c9bb8d2ca6471ae5a9650b3841625072444
NanoCore
32ec92b57297749ae4e4cc6299579355e77573ffdf0b125d1f65ebcc62b9fbfb
NanoCore
3d9b59ef7e396dcbfbb58069b1876d6b85e111c7e36b6a302cf4e955fb711a29
NanoCore
43bdef53f8ff0d262c2086a46c66d76f8c5e2b9df085959c70a5a3c679474767
NanoCore
49a63eb1c6fd5d4b22396bb8a8397c3bf124c3f94d104bc2a7a304f4457b4526
NanoCore
581d4ba63e52707e1839c7d2c026c847d788b8b3025046bdb491f95a431ca1f7
NanoCore
6a03b5abdbbe7bd614645b2619977d1a278d1411bf3fe26ab8d260ccb95d9748
NanoCore
cd63e20a002279934bc2ed4887d77605686a79f28f8114f9c01b678754a1e10a
NanoCore
d544db52d190e289a688183c69680b7c9fdeb459116d0a99a95185ad28474920
NanoCore
ff68f0b8908d33ce1a3eb32cc1478e911b4e9dd853371f62a604fb366b274234
NanoCore
+ 299 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/210129-bc7dcgh2j2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
adf3f47687c15c048c4c909e95c5c2c17187259832ebbab51b6a0b2c5e5f588e
MD5 hash:
217f5a5adc31909d03b0e16b40fc109f
SHA1 hash:
17689728c4692d160f0d9691acf9058ccd4973e4
Link:
https://www.unpac.me/results/e9863099-7a63-400a-b2dc-de670ab6d7ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/adf3f47687c15c048c4c909e95c5c2c17187259832ebbab51b6a0b2c5e5f588e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/114735/

Comments