MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c529ab72479cafe6645b71c4cdf115ff759ede36fb34257f9eac7bd38802f5b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c529ab72479cafe6645b71c4cdf115ff759ede36fb34257f9eac7bd38802f5b0
SHA3-384 hash: 6e4ed63740ff401fa1417179f1bc345c3c89fb79657c7f22cb23fba845e4df596bb7f132fb698ea9ade74fbcb8435aed
SHA1 hash: fab03de62b245751a84c788b0dc4d38ff3ebd0ea
MD5 hash: ee3c6a9adabf66692fbe317427857de1
humanhash: oregon-helium-music-golf
File name:POP.arj
Download: download sample
Signature NanoCore
Create hunting rule
File size:901'998 bytes
First seen:2022-05-08 06:32:50 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:RFYKpJZ7CyPp/WlG5R+yeLn3UZLws/kj/w7IyW0zbHVE8zLM6bDZwjvdO/M:00ZPg+A3UZLlkj/C5b1E8zI6b1wjvAM
TLSH T16A1523F425B5FF3ED6B43BB2CEC85FD541228289173BE931D20B36580D9248366D9A2D
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:arj NanoCore zip


Avatar
cocaman
Malicious email (T1566.001)
From: "reservations@tenminutesbytractor.com.au" (likely spoofed)
Received: "from brotherstrading.com.pk (unknown [212.193.30.204]) "
Date: "07 May 2022 16:05:48 -0700"
Subject: "RE: Group Booking for 6 may 2022 /Family & Friends"
Attachment: "POP.arj"

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6277643c36c061db6e59b240/reports/48135984-a519-4ca1-b473-d8672cf21ec0/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c529ab72479cafe6645b71c4cdf115ff759ede36fb34257f9eac7bd38802f5b0
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c529ab72479cafe6645b71c4cdf115ff759ede36fb34257f9eac7bd38802f5b0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-08 06:33:09 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
11 of 42 (26.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yuu2w4shtsx6mzc3ohcm34iv752z5xrw7m2ck746vr55hcac6wya._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220508-ha681scdgm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
deranano2.ddns.net:1187
194.31.178:1187
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c529ab72479cafe6645b71c4cdf115ff759ede36fb34257f9eac7bd38802f5b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip c529ab72479cafe6645b71c4cdf115ff759ede36fb34257f9eac7bd38802f5b0

(this sample)

NanoCore

Executable exe 25d7fa2bfc89484d806bae297d6b5b81ff2de51f93d414c5ba9b86c0dff1a513

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 25d7fa2bfc89484d806bae297d6b5b81ff2de51f93d414c5ba9b86c0dff1a513
  
Dropping
NanoCore

Comments