MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1d80d80dfb9794c72e6c3a71aacf04fb353ba48c244488f4712f5cc20d5f831. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1d80d80dfb9794c72e6c3a71aacf04fb353ba48c244488f4712f5cc20d5f831
SHA3-384 hash: 33b2caf5c511447ca6b8303090817bd304636b80df26e315623780887f4cc86388292eb7fd7d81c5088f409694508f20
SHA1 hash: 5246cfa28c335912449ebc3bf161ab56edd5c043
MD5 hash: 632ca90d0ec88484ddf719c0a5b9e91d
humanhash: quiet-wolfram-georgia-friend
File name:Instrukcja_CertSign·pdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'082'480 bytes
First seen:2023-07-12 06:27:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f23f452093b5c1ff091a2f9fb4fa3e9 (276 x GuLoader, 37 x RemcosRAT, 23 x AgentTesla)
ssdeep 24576:whlXrkMvVlIefzKs5F4lJPy0A/++5fiUa+7FNREKREH9:GXoMvrH4l80xo7VEKREd
Threatray 695 similar samples on MalwareBazaar
TLSH T19A35129227B2CD03F381627C6956EF7D5E20DD94398ACD2226E8BDA77914733983A143
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon fab2b6e4b4b4a4a4 (5 x Loki, 2 x NanoCore, 1 x GuLoader)
Reporter abuse_ch
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Instrukcja_CertSign·pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-11 11:42:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e1a9a89a-cc52-44da-8702-10b276931a55

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/416351/
Detection(s):
SecuriteInfo.com.Variant.Tedy.398177.19003.13980.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97231/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b1d80d80dfb9794c72e6c3a71aacf04fb353ba48c244488f4712f5cc20d5f831
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/830c5fbb-da52-4b2c-a655-dd4ba3431a35
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1270818
Signature
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1d80d80dfb9794c72e6c3a71aacf04fb353ba48c244488f4712f5cc20d5f831/
Threat name:
Win32.PUA.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-11 07:27:11 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
13 of 23 (56.52%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=whma3ag7xf4uy4xgyotrvlhqj6zvhosiyjcerd2hcl24yigv7ayq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
1a6a26126907eba868eb76873864deedc4170c3da63c3bce70d7fe0d9adaeece
NanoCore
2dc3154ffa4a3fc2533b7b221f215b41d6c21b70acb780fa8f46b212cb798b94
NanoCore
4dcf685ec146dd3a0b5cf5869bbda64af27223b16963e629df4f6103c8537208
NanoCore
59513bfeaf670993430990ea716bf0f17472ee43169c1722350e345066f0e337
NanoCore
7fa4a11b501e03019ad7b90d08c297554cd7c5e9b49de7aacfba190db630e5a4
NanoCore
9c21b977acef57ad64a9b518f1469b60e5d566cb1d5a89b245b975157f7c8aa4
NanoCore
b17de6384fa619dff0fe5e40d5e8f228eff8bb9544fa73e955a12f30018b8597
NanoCore
b3c83ca8ac0be1a91267ff0c5f12e3db8b08b4fa0c8c44df69a4a358c946bbee
NanoCore
f857890d674a9d4abd8ef6d735c7c03eef0a75777c64cb4a62917d12b68dcbfa
NanoCore
+ 685 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore discovery keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230712-g8c76adb9v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
NanoCore
Malware Config
C2 Extraction:
wqqkgzmrdwxl8j.duckdns.org:23591
Unpacked files
SH256 hash:
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
MD5 hash:
75ed96254fbf894e42058062b4b4f0d1
SHA1 hash:
996503f1383b49021eb3427bc28d13b5bbd11977
Link:
https://www.unpac.me/results/6a827003-f858-45c3-9795-f2d763300366/
SH256 hash:
b1d80d80dfb9794c72e6c3a71aacf04fb353ba48c244488f4712f5cc20d5f831
MD5 hash:
632ca90d0ec88484ddf719c0a5b9e91d
SHA1 hash:
5246cfa28c335912449ebc3bf161ab56edd5c043
Link:
https://www.unpac.me/results/6a827003-f858-45c3-9795-f2d763300366/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe b1d80d80dfb9794c72e6c3a71aacf04fb353ba48c244488f4712f5cc20d5f831

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/416351/

Comments