MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b008ed360af03c8b5f1a31bad43238507f56e73a546109d66349cc6638cb406f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b008ed360af03c8b5f1a31bad43238507f56e73a546109d66349cc6638cb406f
SHA3-384 hash: a15639211618c727661c3c99e7d09ce4ef1912b62574622e1fcacb326e3c9f74b944c824055c20560d6784e8d9bae1d7
SHA1 hash: b3ba31609155422c9f2d86b53f7242432bfafdce
MD5 hash: 407e8450b1f6d59841eaa47a63d2466a
humanhash: cup-equal-california-helium
File name:Transfer Form.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:467'456 bytes
First seen:2020-08-14 10:13:34 UTC
Last seen:2020-08-14 14:10:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'614 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:hO0f7WyZa1NiMhsXuNivjtt+L40yODzUnfDxmaDsjVjnLswhZMHAVmltlHwbDLTc:D/wmMhsuYvjKERwzUPD60ly0
Threatray 2'240 similar samples on MalwareBazaar
TLSH 9BA4BF5AE366F802C7593F70D0A1EBB906F0B765DC1397067069B62DA22E74F2C25336
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: mib.com.mv
Sending IP: 37.48.85.242
From: "tradefinance@mib.com.mv" <tradefinance@mib.com.mv>
Subject: TT
Attachment: Transfer Form.zip (contains "Transfer Form.exe")

Intelligence

File Origin
# of uploads :
5
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45793/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.276.20404.29277.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Sending a UDP request
Enabling autorun
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/429392
Signature
Creates an undocumented autostart registry key
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 267176 Sample: Transfer Form.exe Startdate: 16/08/2020 Architecture: WINDOWS Score: 100 53 www.in-dire.com 2->53 55 www.dieschoenschreiberin.net 2->55 63 Malicious sample detected (through community Yara rule) 2->63 65 Yara detected FormBook 2->65 67 Machine Learning detection for sample 2->67 69 3 other signatures 2->69 9 Transfer Form.exe 7 2->9         started        signatures3 process4 file5 47 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 9->47 dropped 49 C:\Users\user\...\Transfer Form.exe.log, ASCII 9->49 dropped 51 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 9->51 dropped 79 Injects a PE file into a foreign processes 9->79 13 Transfer Form.exe 9->13         started        16 cmd.exe 1 9->16         started        18 cmd.exe 3 9->18         started        21 cmd.exe 1 9->21         started        signatures6 process7 file8 83 Modifies the context of a thread in another process (thread injection) 13->83 85 Maps a DLL or memory area into another process 13->85 87 Sample uses process hollowing technique 13->87 89 Queues an APC in another process (thread injection) 13->89 23 explorer.exe 13->23 injected 26 reg.exe 1 1 16->26         started        29 conhost.exe 16->29         started        39 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 18->39 dropped 31 conhost.exe 18->31         started        41 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 21->41 dropped 33 conhost.exe 21->33         started        signatures9 process10 dnsIp11 57 www.xqt51888.com 23->57 59 www.vierahandy.com 23->59 61 2 other IPs or domains 23->61 35 WWAHost.exe 17 23->35         started        81 Creates an undocumented autostart registry key 26->81 signatures12 process13 file14 43 C:\Users\user\AppData\...\561logrv.ini, data 35->43 dropped 45 C:\Users\user\AppData\...\561logri.ini, data 35->45 dropped 71 Detected FormBook malware 35->71 73 Tries to steal Mail credentials (via file access) 35->73 75 Tries to harvest and steal browser information (history, passwords, etc) 35->75 77 3 other signatures 35->77 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b008ed360af03c8b5f1a31bad43238507f56e73a546109d66349cc6638cb406f/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 10:15:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=waeo2nqk6a6iwxy2gg5nimrykb7vnzz2krqqtvtdjhggmoglibxq._file
Verdict:
malicious
Similar samples:
11ed9b9e406c0dd0f8eebc68a84ed4790d73d051584206acce260627390ec049
NanoCore
2b9703840cea3c427f1abf8ec784be06107fe7db48e1921c427b8a8a4254bda5
NanoCore
478dce496a9eca179f7503d76fa70a27d85e2e8547b81b5c80fc7433122085c3
NanoCore
61ce5023167c9a25d41656e8bd12b05769fac072fc6edf6024641ae2c77c8ece
NanoCore
83159525ad9374d710ea33342d68834a491e3f14ea3f3fa6c39db3f2096c3059
NanoCore
8a5ae789ab7a7fe7d2d2bd23a633ae2d4a06b8b3dd93d7ea716847209067a92d
NanoCore
9e31a9eedd25bd1b57d01f6f9f265cf5d13218f3e3e1866128d061ba5c77c452
NanoCore
b5cfea4c983458975c376cb9ff0ebd5feb4a426dc83c9db60264678a43eef6e9
NanoCore
e224e30554ce3a83c6ef2ca1c81b50ca377486f55bed19078658578bbef844f0
NanoCore
f3c6e6f5bf996841cc3777b0b3769e2092e5a85ad110b46764b45c3681793874
NanoCore
+ 2'230 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200814-qdwqfcay5s/
Behaviour
Gathers network information
Modifies Internet Explorer settings
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.com/mzg/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b008ed360af03c8b5f1a31bad43238507f56e73a546109d66349cc6638cb406f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip dd6f5c43408cd464c375d1b5092f5e2321b559df32ffe19b91520b88d95e8a64

NanoCore

Executable exe b008ed360af03c8b5f1a31bad43238507f56e73a546109d66349cc6638cb406f

(this sample)

  
Dropped by
MD5 0c7c3f923a523a60f3ac1d7a9d88a8c4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45793/
  
Dropped by
SHA256 dd6f5c43408cd464c375d1b5092f5e2321b559df32ffe19b91520b88d95e8a64

Comments