MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caf073b1d85bc136488382be2c83c264ac64d2df279752341b1c4601c6201a41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caf073b1d85bc136488382be2c83c264ac64d2df279752341b1c4601c6201a41
SHA3-384 hash: ed320b7b26d8c773678f10b058cfad426ea458a9eb044866a6c9349c263b2ac3482debc67b139ff4fb58709b84691b57
SHA1 hash: 4ba8b368c32fa57703613e0c98d90381b872d5ad
MD5 hash: 42ee1ad3b4600a955888780e8899c1ce
humanhash: mirror-zebra-beer-yellow
File name:chrome.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:597'440 bytes
First seen:2023-02-20 15:15:48 UTC
Last seen:2023-02-20 16:30:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (526 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 12288:L5Z+mqofs6TaXML3crUlbIInrHR2Fwn6DijBtpl2i6F+0cfjoop:tUJN9MwrfInrHvnY7ipzoop
Threatray 621 similar samples on MalwareBazaar
TLSH T12ED422074AB14887F1A61A341FFB8676F8FA5C11742C239B9BB27F093900AC1E59EF55
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0e4caccccacd870 (4 x GuLoader, 1 x NanoCore)
Reporter 0xSnowl
Tags:exe NanoCore signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-31T06:37:23Z
Valid to:2026-01-30T06:37:23Z
Serial number: 4e981d23854531c3a9e3644f2e173e9ddd78cb24
Thumbprint Algorithm:SHA256
Thumbprint: 96fc006c0636833aa714596b020eac65a7069441fc9cabb455ffcb7f81b5ca77
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
TH TH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
chrome.exe
Verdict:
Malicious activity
Analysis date:
2023-02-20 15:16:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0204664a-7b35-4e00-a19f-c75e0f02937d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368469/
Detection(s):
SecuriteInfo.com.Heur.16855.28331.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Creating a file
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71863/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63f38eb742bf85850e3e4c8b/reports/f48aff92-73d8-483d-a1e6-604dcb9f0c49/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/caf073b1d85bc136488382be2c83c264ac64d2df279752341b1c4601c6201a41
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b44380a0-c952-4ce8-930a-667db2c44b7e
Result
Threat name:
NanoCore, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1179292
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Sigma detected: NanoCore
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 11577 Sample: chrome.exe Startdate: 20/02/2023 Architecture: WINDOWS Score: 72 31 googlehosted.l.googleusercontent.com 2->31 33 drive.google.com 2->33 35 doc-04-c4-docs.googleusercontent.com 2->35 43 Sigma detected: NanoCore 2->43 45 Yara detected GuLoader 2->45 47 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->47 8 chrome.exe 1 47 2->8         started        signatures3 process4 file5 19 C:\Users\user\AppData\Roaming\...\pexdll.dll, PE32 8->19 dropped 21 C:\Users\user\...\libpangowin32-1.0-0.dll, PE32+ 8->21 dropped 23 C:\Users\user\AppData\Roaming\...\UIlib.dll, PE32+ 8->23 dropped 25 C:\Users\user\AppData\Local\...\System.dll, PE32 8->25 dropped 49 Writes to foreign memory regions 8->49 51 Tries to detect Any.run 8->51 12 CasPol.exe 1 17 8->12         started        signatures6 process7 dnsIp8 37 drive.google.com 142.250.185.238, 443, 49813 GOOGLEUS United States 12->37 39 googlehosted.l.googleusercontent.com 172.217.18.97, 443, 49814 GOOGLEUS United States 12->39 41 212.87.204.153, 49815, 49816, 49817 GEMENIIGEMENIINETWORKRO Germany 12->41 27 C:\Users\user\AppData\Roaming\...\run.dat, data 12->27 dropped 29 C:\Users\user\...\Ufordjelighedens.exe, PE32 12->29 dropped 53 Tries to detect Any.run 12->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->55 17 conhost.exe 12->17         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/caf073b1d85bc136488382be2c83c264ac64d2df279752341b1c4601c6201a41/
Threat name:
Win32.Downloader.Minix
Create hunting rule
Status:
Malicious
First seen:
2023-02-20 15:16:12 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
5 of 25 (20.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zlyhhmoylpatmsedqk7cza6cmswgjuw7e6lvena3drdadrradjaq._file
Verdict:
unknown
Similar samples:
09454cff8e1b6d8a06a3731f417fc2e86d61cffccf2cab60064e7f7a1672f4b4
NanoCore
0ece63c571823c71e6d37ac23d7f4bc8633b977f175237594d0cda52ea25bb7f
NanoCore
11ea8640caec973b1823c96000bd50a2c604317888111273f7e93a37412fa2a9
NanoCore
1875b7fa5fb3b439c6761a821b5b6c3fc060ba2010578e84736c2cd58585abe9
NanoCore
18b1abba90cf4a74b7216b91f02febb1c8694113f5ddc3507fd35b66253bcb83
NanoCore
477a29d2e03d859728199db78202351c684abccee49d39cd68fc8600cf61edaa
NanoCore
c613749fa5ddfbc29b303f99f48fde9a00ae31c5d560e04e92922df1f966be94
NanoCore
c78fa33e02041e7bdf168a1d8d39d3a4f818cd7b3e65c914e8dd8b0bc849deff
NanoCore
d0f56b683a0e0f551a85d93ab7b366c6ae5f933c57da5e2790d7f4bbb8f2beaa
NanoCore
d418b33e0f47d43fcc31e623c7c2b581aa9df51fb47a15414a8bb45b009f813b
NanoCore
+ 611 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:nanocore downloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230220-sngkmaag9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
212.87.204.153:6100
Unpacked files
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Link:
https://www.unpac.me/results/7ea65765-805c-43b9-9673-9956e42d040c/
SH256 hash:
70e1b9c728808d16d62c80157247803837ddc74c3d8df66bc5311094f7bdbf05
MD5 hash:
75dc68aefd141ad35a4f72e4e10b0067
SHA1 hash:
b82cd4276203f2af57655584acf5df1696a05879
Link:
https://www.unpac.me/results/7ea65765-805c-43b9-9673-9956e42d040c/
SH256 hash:
caf073b1d85bc136488382be2c83c264ac64d2df279752341b1c4601c6201a41
MD5 hash:
42ee1ad3b4600a955888780e8899c1ce
SHA1 hash:
4ba8b368c32fa57703613e0c98d90381b872d5ad
Link:
https://www.unpac.me/results/7ea65765-805c-43b9-9673-9956e42d040c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/caf073b1d85b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/caf073b1d85bc136488382be2c83c264ac64d2df279752341b1c4601c6201a41

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/368469/

Comments