MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c634652d912ddd573ec0b3650031251a050e7527c1275f052fa4473be8d30584. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c634652d912ddd573ec0b3650031251a050e7527c1275f052fa4473be8d30584
SHA3-384 hash: 262c34a1097c75ca5548253049fe8fe6f8ff732eaef359a22c697c70ae98a3dd2ef50d5fb4ab17b1b30f2f2ab6e521c4
SHA1 hash: aa4de32fd1ef10db5570852b86a95fb427fef7b8
MD5 hash: fbdd1d3920b40c7c3f922cf5d471c6a1
humanhash: mirror-chicken-uncle-fourteen
File name:Payment Order for #0025_PDF.vbs
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'475'602 bytes
First seen:2021-07-15 09:04:59 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:NJWp+gW2mDR5VOtEOiOOnEObzT+8fldzu1uV1WET8s0Y/re:3VjEE7OOnE0W6xe
Threatray 6'846 similar samples on MalwareBazaar
TLSH T13665023049C3FD705B7C9A72918C7ED92DA65D0BA0E8E254DB5E325C199A2B04CF7E32
Reporter abuse_ch
Tags:NanoCore RAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171911/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Result
Threat name:
Nanocore AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816761
Signature
.NET source code contains potential unpacker
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powershell Test-Connection to delay payload execution;
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 449168 Sample: Payment Order for #0025_PDF.vbs Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 71 www.yahoo.com 2->71 73 sys2021.linkpc.net 2->73 75 new-fp-shed.wg1.b.yahoo.com 2->75 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 10 other signatures 2->109 9 wscript.exe 3 2->9         started        13 dhcpmon.exe 2->13         started        signatures3 process4 file5 63 C:\Users\user\AppData\Local\Temp\name.exe, PE32 9->63 dropped 65 C:\Users\user\AppData\Local\Temp\file.exe, PE32 9->65 dropped 111 Benign windows process drops PE files 9->111 113 VBScript performs obfuscated calls to suspicious functions 9->113 15 name.exe 1 5 9->15         started        18 file.exe 4 9->18         started        115 Uses powershell Test-Connection to delay payload execution; 13->115 21 powershell.exe 13->21         started        24 powershell.exe 13->24         started        26 powershell.exe 13->26         started        signatures6 process7 dnsIp8 119 Creates an undocumented autostart registry key 15->119 121 Machine Learning detection for dropped file 15->121 123 Uses powershell Test-Connection to delay payload execution; 15->123 28 name.exe 15->28         started        33 powershell.exe 19 15->33         started        45 2 other processes 15->45 61 C:\Users\user\AppData\Roaming\...\name.exe, PE32 18->61 dropped 125 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->125 127 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->127 129 Injects a PE file into a foreign processes 18->129 35 powershell.exe 18 18->35         started        37 powershell.exe 18->37         started        47 2 other processes 18->47 77 www.yahoo.com 21->77 79 new-fp-shed.wg1.b.yahoo.com 21->79 39 conhost.exe 21->39         started        81 www.yahoo.com 24->81 83 new-fp-shed.wg1.b.yahoo.com 24->83 41 conhost.exe 24->41         started        85 www.yahoo.com 26->85 87 new-fp-shed.wg1.b.yahoo.com 26->87 43 conhost.exe 26->43         started        file9 signatures10 process11 dnsIp12 89 sys2021.linkpc.net 197.210.29.244, 11940 VCG-ASNG Nigeria 28->89 67 C:\Program Files (x86)\...\dhcpmon.exe, PE32 28->67 dropped 69 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 28->69 dropped 117 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->117 93 2 other IPs or domains 33->93 49 conhost.exe 33->49         started        95 2 other IPs or domains 35->95 51 conhost.exe 35->51         started        91 192.168.2.1 unknown unknown 37->91 97 2 other IPs or domains 37->97 53 conhost.exe 37->53         started        99 4 other IPs or domains 45->99 55 conhost.exe 45->55         started        57 conhost.exe 45->57         started        101 2 other IPs or domains 47->101 59 conhost.exe 47->59         started        file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c634652d912ddd573ec0b3650031251a050e7527c1275f052fa4473be8d30584/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 09:05:06 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yy2gklmrfxovopwawnsqamjfdicq45jhyetv6bjpurdtx2gtawca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08850fbf72cfca13717b548debdd9da9ddda61bb0d059c1242e72604ce076051
NanoCore
29890b01a73b6721cf2e80232cc366b95be2eeb81bd7beb72372cd3ae4f05293
NanoCore
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
NanoCore
4c482b22456df2e37106d59a8afeccdeb736ee89b13b3de6968acee2f3ce9f25
NanoCore
699d670809bccdbbdb2ae85d80be86d6fd00586c56e0375df34527d4ec6045cf
NanoCore
876b731a87a9261f5f533bab8b57c6cdc23664268fe8232cb6c65adb37b99c79
NanoCore
8d3fde104daed4ea247d38c763872e1617c6d9143f85a657de2c42c7ee17f104
NanoCore
93bb62774d2359778e34985d5c7fc6be51f91e48706509b8698714f0b5f46a46
NanoCore
a95487fcc6e10653c359e496d789b3a99abe5c7da8b5d2d426cbb86f4bdc8a75
NanoCore
e0fe982389456170eea35ca081a62fc9ee770a27af6058c48059b0c80b4a620a
NanoCore
+ 6'836 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210715-vkl6t5g2rn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Modifies WinLogon for persistence
NanoCore
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c634652d912ddd573ec0b3650031251a050e7527c1275f052fa4473be8d30584

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171911/

Comments