MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b878b9ac8e25d2d8d649f702059ac623edb99df1df8bed840a5e1a97dc0e5f6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b878b9ac8e25d2d8d649f702059ac623edb99df1df8bed840a5e1a97dc0e5f6e
SHA3-384 hash: 8b66fc247cf67cf532a55c7148953bbe2d3ba69f20ff38952930d9561dbcdc6076f5b2f59ba2ba3e3abf7ab69369d453
SHA1 hash: de1000bbcaac638959bcdeafee74a0cd33e7fc4b
MD5 hash: dd78401ed024d182e2c7bda5a140f5a4
humanhash: lactose-bacon-angel-edward
File name:Bill Of Lading.lz
Download: download sample
Signature NanoCore
Create hunting rule
File size:568'699 bytes
First seen:2022-05-04 06:05:17 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:J3hQwbRfs8Xlxec/jhdMmTQKUDBMCWior4p6J:JR3SKxHbhOpKkBMgXW
TLSH T11AC423C5AC74072340D6A20E34CE8A35EBA7FDADF6684754DE298E479D20A37A0D4BC5
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:lz NanoCore rar


Avatar
cocaman
Malicious email (T1566.001)
From: "VIFS-JITU [vifs@vifs.net]" (likely spoofed)
Received: "from candianidenim.it (unknown [212.193.30.204]) "
Date: "03 May 2022 20:51:22 -0700"
Subject: "RE: Revised 1st print for B/l no: MEDUI8506053 //Re: Required draft //Re: RELEASE RELEASE NO.: 363IN0323610422 // HAZ BOOKING || INTTRA NO: 2020507146 // 1X20 BARCELONA // POL: HAZIRA // CARGO: HAZ // SHIPPER: CHEMCON // HAZ REF. NO.: BRDH00104"
Attachment: "Bill Of Lading.lz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/627217ce2b32b1c37c90c7aa/reports/0d740e83-74fa-45bc-8745-d46142f45e0a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b878b9ac8e25d2d8d649f702059ac623edb99df1df8bed840a5e1a97dc0e5f6e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-04 06:06:10 UTC
File Type:
Binary (Archive)
Extracted files:
13
AV detection:
12 of 42 (28.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xb4ltleoexjnrvsj64balgwgepw3thpr36f63baklynjpxaol5xa._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220504-gtq6gadbc9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
deranano2.ddns.net:1187
194.31.178:1187
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b878b9ac8e25d2d8d649f702059ac623edb99df1df8bed840a5e1a97dc0e5f6e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar b878b9ac8e25d2d8d649f702059ac623edb99df1df8bed840a5e1a97dc0e5f6e

(this sample)

NanoCore

Executable exe b9d9fc33dc623971bbbf29c9ba63b81e71177163aa404366622fd3f083b89136

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b9d9fc33dc623971bbbf29c9ba63b81e71177163aa404366622fd3f083b89136
  
Dropping
NanoCore

Comments