MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cea18db1c0381fbc4a6d3a1d28163f5c51352f1fb79a960ac5dcb91b29c5e5af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cea18db1c0381fbc4a6d3a1d28163f5c51352f1fb79a960ac5dcb91b29c5e5af
SHA3-384 hash: 02df232484e9960749b138bc11dc8d77003c43973e817b19ec41c0e380eb63bcc0dabdbd2d778ffd257bbecd16a00d03
SHA1 hash: e4194138ff9b7a564e942f45baf3fb133fb316c0
MD5 hash: 8e4757f39f23851f65d4340ee81f9697
humanhash: arizona-high-uncle-butter
File name:BL DRAFT.arj
Download: download sample
Signature NanoCore
Create hunting rule
File size:584'759 bytes
First seen:2022-08-30 19:23:20 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:P80tm+BFT+R4Wj8aD6L7g+o/imPO/RSr2Q5ESIy65rH9C+KahwwIXWX6Xh:P80o+b+RP4L7gx/imIRpfLjBVAgMh
TLSH T1B4C423CA7B08367840A5BFE4C5A3D2EC9B3678202245E85649CBB3DD9F214EF335469D
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:arj NanoCore zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Rinky Lalwani [rinky@goodrichindia.com]" (likely spoofed)
Received: "from panjikeji.com (unknown [107.182.129.248]) "
Date: "29 Aug 2022 13:54:25 +0200"
Subject: "01ST CHECK COPY/// BL NO.VASHZACMB001467/// EXPORT RELEASE ORDER : VASHZA2200177//VASHZA2200178 || 01X20 GP || FPOD : COLOMBO // 1X20 // COLOMBO // HAZ // CLASS : 6.1 // UN NO : 1601//PG : II / /HAZIRA PICK UP//HAZIRA LOADING//384 PACKING"
Attachment: "BL DRAFT.arj"

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1427.23113.17777.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/630e654d5e025f2e7b034950/reports/bf6cfd13-202f-4046-a352-691a1fad5469/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/cea18db1c0381fbc4a6d3a1d28163f5c51352f1fb79a960ac5dcb91b29c5e5af
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cea18db1c0381fbc4a6d3a1d28163f5c51352f1fb79a960ac5dcb91b29c5e5af/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-08-29 17:11:13 UTC
File Type:
Binary (Archive)
Extracted files:
23
AV detection:
8 of 41 (19.51%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z2qy3moahap3ystnhiosqfr7lritkly7w6njmcwf3s4rwkof4wxq._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220830-x4ehesehdj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
dera5nano.ddns.net:1010
107.182.129.248:1010
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cea18db1c0381fbc4a6d3a1d28163f5c51352f1fb79a960ac5dcb91b29c5e5af

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip cea18db1c0381fbc4a6d3a1d28163f5c51352f1fb79a960ac5dcb91b29c5e5af

(this sample)

NanoCore

Executable exe 81f2b379359e0d425565be86c1ff9ec7978dba9a8a4312b4552be9baeb25ba86

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 81f2b379359e0d425565be86c1ff9ec7978dba9a8a4312b4552be9baeb25ba86
  
Dropping
NanoCore
  
Dropping
MD5 64201c1170ff4a15c04e12b4dcdbb2ac

Comments