MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b517d5a439ae92d7470dcf9595b0069dd0a18a4933fe13ae6571bea0fcb9a254. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b517d5a439ae92d7470dcf9595b0069dd0a18a4933fe13ae6571bea0fcb9a254
SHA3-384 hash: 8dbdaf64224557c5566eddcb2f71f679b217125fe917ef58b7336b0b4756d963825bb84fa7b1d58b124ea4a522022409
SHA1 hash: f8f3aa78165e9780f170d31fb98a915ac26a75ad
MD5 hash: 8280ee2ed48cec960e50328e13b73dea
humanhash: alabama-pennsylvania-seven-river
File name:310235118213_0365013261_20231017.vbs
Download: download sample
Signature NanoCore
Create hunting rule
File size:61'572 bytes
First seen:2023-10-20 11:30:56 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:hsMKf3KFKp4kOcISmceTf1kb9HlsAGYmqGr:hsMg3KFTkO/SmceTGb9Hls3YRGr
Threatray 1'436 similar samples on MalwareBazaar
TLSH T139536DF1DE41151A4D4B27EAEC414872C5BC817E55220139FFDD639E920BA4CA7BEB0E
Reporter abuse_ch
Tags:NanoCore vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.15485.16748.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cerberus
Link:
https://www.filescan.io/uploads/653264f7966b1cca70ea5758/reports/40fe25d5-b9c3-445b-8264-62c0c18f544a/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/b517d5a439ae92d7470dcf9595b0069dd0a18a4933fe13ae6571bea0fcb9a254
Result
Verdict:
MALICIOUS
Result
Threat name:
NanoCore, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1329222
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1329222 Sample: 310235118213_0365013261_202... Startdate: 20/10/2023 Architecture: WINDOWS Score: 100 30 googlehosted.l.googleusercontent.com 2->30 32 drive.google.com 2->32 34 doc-14-10-docs.googleusercontent.com 2->34 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 54 9 other signatures 2->54 10 wscript.exe 1 2->10         started        signatures3 process4 signatures5 58 VBScript performs obfuscated calls to suspicious functions 10->58 60 Suspicious powershell command line found 10->60 62 Wscript starts Powershell (via cmd or directly) 10->62 64 Very long command line found 10->64 13 powershell.exe 16 10->13         started        process6 signatures7 66 Suspicious powershell command line found 13->66 68 Very long command line found 13->68 16 powershell.exe 19 13->16         started        19 conhost.exe 13->19         started        process8 signatures9 42 Writes to foreign memory regions 16->42 44 Maps a DLL or memory area into another process 16->44 46 Found suspicious powershell code related to unpacking or dynamic code loading 16->46 21 CasPol.exe 3 15 16->21         started        process10 dnsIp11 36 wqqkgzmrdwxl8j.duckdns.org 91.193.75.195, 23591, 49725, 49729 DAVID_CRAIGGG Serbia 21->36 38 googlehosted.l.googleusercontent.com 142.251.163.132, 443, 49711, 49713 GOOGLEUS United States 21->38 40 drive.google.com 172.253.63.100, 443, 49710, 49712 GOOGLEUS United States 21->40 28 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 21->28 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->56 26 dw20.exe 2 15 21->26         started        file12 signatures13 process14
Score:
100%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/b517d5a439ae92d7470dcf9595b0069dd0a18a4933fe13ae6571bea0fcb9a254
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b517d5a439ae92d7470dcf9595b0069dd0a18a4933fe13ae6571bea0fcb9a254/
Threat name:
Win32.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2023-10-18 16:08:37 UTC
File Type:
Text (VBS)
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wul5ljbzv2jnorynz6kzlmagtxikdcsjgp7bhltfog7kb7fzujka._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
03c24c4da5f42a1b9a770e84a0dd1f8e690b9e6873bf338fbec1d75d80006739
NanoCore
15f43e7843401484c486ddcfcf8119d2cd0f29f2e99017f4c96c83e530a91b17
NanoCore
6056ddf4fd5f58f421883da0176a32cbad5458c80d33e1e0d4f1ddcf28f6d21d
NanoCore
62c5fb5e4895a3da152268e54aecca3142b0ba8f1f5f4dd15b4a13747049d6f9
NanoCore
6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de
NanoCore
71d8447b0d646903db508314cdc59708855c914ec4a3a72d7f06f487177e11fc
NanoCore
84143a9050c55b6467062bd75f5f10f826b9b1107f7e96e7838122b33547c844
NanoCore
dfb9b3c7cf15baa877da2d2c87e1e53761517094bab2de1a6b92ebca122fa858
NanoCore
e844192fb4c52758db729e18e8898fe0921bdbe1e2d3ac3da6a6b5d2cedecb71
NanoCore
+ 1'426 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231020-nmq1fsac4s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Blocklisted process makes network request
NanoCore
Malware Config
C2 Extraction:
wqqkgzmrdwxl8j.duckdns.org:23591
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b517d5a439ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b517d5a439ae92d7470dcf9595b0069dd0a18a4933fe13ae6571bea0fcb9a254

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cerberus
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Cerberus

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Visual Basic Script (vbs) vbs b517d5a439ae92d7470dcf9595b0069dd0a18a4933fe13ae6571bea0fcb9a254

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments