MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1c0f56ea9577d5db3736d111687e1ac2ed63bf3875e3889ccb6b4d4869192f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1c0f56ea9577d5db3736d111687e1ac2ed63bf3875e3889ccb6b4d4869192f5
SHA3-384 hash: 8fde618f4f663cb15d1c7f92cf37ed54c4667c66b493d3e1230624c02369fe5e2edf931374daac1d8dd6b60ecbab6c31
SHA1 hash: 09b768cef131185a06e7b4b832dfe57ae39095c1
MD5 hash: 346908c0b7269fbd7b15d4fb758d15a5
humanhash: fillet-hydrogen-hamper-jig
File name:Payment Status.7z
Download: download sample
Signature NanoCore
Create hunting rule
File size:739'728 bytes
First seen:2021-04-30 06:41:18 UTC
Last seen:2021-04-30 07:04:10 UTC
File type: 7z
MIME type:application/x-rar
ssdeep 12288:lZtADdwy4IX5Ptmp5kerXzA8ENiwh/Bd1nChcmKCRZkOYrekPZTXYHt3j3cdOFRB:nt+5/erjxIiwBB/ChLKCRSek+dNRie
TLSH 3AF433B6DE3DE3E761A60AB55D3B839A50628BFFE90530542198F2A06518D7F040F7E3
Reporter GovCERT_CH

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1c0f56ea9577d5db3736d111687e1ac2ed63bf3875e3889ccb6b4d4869192f5/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 06:42:14 UTC
AV detection:
9 of 47 (19.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhapk3vjk56v3m3tnuirnb7bvqxnmo7tq5pdrcomw22njbursl2q._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210430-5v5e7a875e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NanoCore
Malware Config
C2 Extraction:
178.63.172.23:4326
127.0.0.1:4326
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c1c0f56ea9577d5db3736d111687e1ac2ed63bf3875e3889ccb6b4d4869192f5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

7z c1c0f56ea9577d5db3736d111687e1ac2ed63bf3875e3889ccb6b4d4869192f5

(this sample)

NanoCore

Executable exe c2211332a0e3b1104f4fdf31621c230407ad29c068eab013e2f9ec0caac158aa

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 c2211332a0e3b1104f4fdf31621c230407ad29c068eab013e2f9ec0caac158aa
  
Dropping
MD5 e10d0243bf934a98a83c7b3d2ee4a695

Comments