MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7c69808d91c1b72143c1fd9c56a53c8bac6be4a19c1bf4e337fd1be830a9bf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7c69808d91c1b72143c1fd9c56a53c8bac6be4a19c1bf4e337fd1be830a9bf9
SHA3-384 hash: 1e78b8a84f10a456ec12006471bcba1e7552394d2b91b21ea58307afff96186e29e80b44c62e806e28bcb03c73002e60
SHA1 hash: 488b76140c9071b4c4b82edb27565b31a3307d1a
MD5 hash: da45ae0d96c1f435eba5c3126f51dcdc
humanhash: eleven-ten-october-six
File name:QUOTATION.7z
Download: download sample
Signature NanoCore
Create hunting rule
File size:629'420 bytes
First seen:2022-05-11 15:27:08 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:DAg0MQNbjgV5JXkQXIqbCQOsZBxWzMseXQhHKn+hj4dIHtNvC8cnDfR:D30fjgyQvbWsZBxWzMskQhqnySQve9
TLSH T1C0D42359AF631B732245933C5BC38EF9AB32ABF48361456D06DBB1C3CA648E0550A58F
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:7z NanoCore QUOTATION zip


Avatar
cocaman
Malicious email (T1566.001)
From: "<Hara Vlahouli >operations@westernbulk.com" (likely spoofed)
Received: "from freightx.gr (unknown [212.193.30.204]) "
Date: "11 May 2022 08:23:47 -0700"
Subject: "MV PAPAYIANNIS III / WBC - CP 11.03.22 (REF:2201NZI00)"
Attachment: "QUOTATION.7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.21711.ZipHeur.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/627bd61092de4ecac410a053/reports/4a18239d-050a-4d20-903e-b97c3d9bd6ec/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c7c69808d91c1b72143c1fd9c56a53c8bac6be4a19c1bf4e337fd1be830a9bf9
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7c69808d91c1b72143c1fd9c56a53c8bac6be4a19c1bf4e337fd1be830a9bf9/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 15:28:10 UTC
File Type:
Binary (Archive)
Extracted files:
14
AV detection:
7 of 41 (17.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y7djqcgzdqnxefb4d7m4k2stzc5mnpskdha36trtp7i35ayktp4q._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220511-swbdksebel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
deranano2.ddns.net:1187
194.31.178:1187
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7c69808d91c1b72143c1fd9c56a53c8bac6be4a19c1bf4e337fd1be830a9bf9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip c7c69808d91c1b72143c1fd9c56a53c8bac6be4a19c1bf4e337fd1be830a9bf9

(this sample)

NanoCore

Executable exe 011c5f305852ea8ef82a26bae0d7b6f59fd70f431b91edb25df06863e0001bc0

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 011c5f305852ea8ef82a26bae0d7b6f59fd70f431b91edb25df06863e0001bc0
  
Dropping
NanoCore
  
Dropping
MD5 dbffb4682e330d635295ccdd92fe99c4

Comments