MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf1bc0e51ec2afbec5cffa1cf38e5ddcb6f9ce3aec8b737a55c8700600aa8caa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf1bc0e51ec2afbec5cffa1cf38e5ddcb6f9ce3aec8b737a55c8700600aa8caa
SHA3-384 hash: 0f46b0cee77c60476c91005011dbf617382412a26989f9436d0e2393a0e863ba3f2ec940af4c15d1bd71b820fde77497
SHA1 hash: 3f1ef725082b63c51266d353a8fc6a44f589a66e
MD5 hash: 3db6b2e92ac7aa0b1159eb451c15d4c7
humanhash: eighteen-bacon-stream-island
File name:0473350311911207E·pdf.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'089'964 bytes
First seen:2023-07-12 06:27:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f23f452093b5c1ff091a2f9fb4fa3e9 (276 x GuLoader, 36 x RemcosRAT, 23 x AgentTesla)
ssdeep 24576:whlXr7DeTgcS2MF9UqWjuGprRsADyYYMZH10frKp7nYB10hAA:GXqTgxSzjuieW914B1I
Threatray 692 similar samples on MalwareBazaar
TLSH T12F3512D127368D03F392927C5511EF7D9C65AFA13C8ADA1323F86ED77910B62A839183
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon fab2b6e4b4b4a4a4 (5 x Loki, 2 x NanoCore, 1 x GuLoader)
Reporter abuse_ch
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0473350311911207E·pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-12 06:35:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/19fd03f1-471e-4b26-b4ea-953483223116

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/416344/
Detection(s):
SecuriteInfo.com.NSIS.Injector.PSMX.tr.2904.29457.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97228/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cf1bc0e51ec2afbec5cffa1cf38e5ddcb6f9ce3aec8b737a55c8700600aa8caa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/89496c27-aed3-4d38-a767-97ffa3e7a078
Result
Threat name:
GuLoader, NanoCore, MailPassView, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1271586
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to modify clipboard data
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Disables UAC (registry)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected GuLoader
Yara detected MailPassView
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1271586 Sample: 0473350311911207E#U00b7pdf.exe Startdate: 12/07/2023 Architecture: WINDOWS Score: 100 80 googlehosted.l.googleusercontent.com 2->80 82 drive.google.com 2->82 84 2 other IPs or domains 2->84 104 Snort IDS alert for network traffic 2->104 106 Multi AV Scanner detection for domain / URL 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 10 other signatures 2->110 11 0473350311911207E#U00b7pdf.exe 5 38 2->11         started        15 CasPol.exe 4 2->15         started        17 dslmon.exe 4 2->17         started        19 dslmon.exe 3 2->19         started        signatures3 process4 file5 74 C:\Users\user\AppData\Local\...\System.dll, PE32 11->74 dropped 136 Writes to foreign memory regions 11->136 138 Tries to detect Any.run 11->138 21 CasPol.exe 2 28 11->21         started        26 CasPol.exe 11->26         started        28 CasPol.exe 11->28         started        30 conhost.exe 15->30         started        32 conhost.exe 17->32         started        34 conhost.exe 19->34         started        signatures6 process7 dnsIp8 86 wqqkgzmrdwxl8j.duckdns.org 103.212.81.155, 23591, 49948 KANTIPUR-AS-APKantipurPublicationPvtLtdNP Bangladesh 21->86 88 drive.google.com 142.250.184.206, 443, 49946 GOOGLEUS United States 21->88 90 googlehosted.l.googleusercontent.com 142.250.186.161, 443, 49947 GOOGLEUS United States 21->90 66 C:\Users\user\...\Autoriseringerne.exe, PE32 21->66 dropped 68 C:\Users\user\...\Task manager pdf.exe, PE32 21->68 dropped 70 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 21->70 dropped 72 2 other files (1 malicious) 21->72 dropped 124 Writes to foreign memory regions 21->124 126 Tries to detect Any.run 21->126 128 Sample uses process hollowing technique 21->128 132 2 other signatures 21->132 36 Task manager pdf.exe 21->36         started        40 vbc.exe 1 21->40         started        42 vbc.exe 14 21->42         started        44 3 other processes 21->44 130 Uses schtasks.exe or at.exe to add and modify task schedules 26->130 file9 signatures10 process11 file12 64 C:\Users\user\AppData\Local\...\System.dll, PE32 36->64 dropped 112 Tries to detect Any.run 36->112 46 Task manager pdf.exe 36->46         started        114 Tries to steal Mail credentials (via file registry) 40->114 116 Tries to steal Instant Messenger accounts or passwords 40->116 118 Tries to steal Mail credentials (via file / registry access) 40->118 120 Contains functionality to modify clipboard data 40->120 122 Tries to harvest and steal browser information (history, passwords, etc) 42->122 51 conhost.exe 44->51         started        53 conhost.exe 44->53         started        signatures13 process14 dnsIp15 92 142.250.185.78, 443, 49963 GOOGLEUS United States 46->92 94 142.250.186.97, 443, 49964 GOOGLEUS United States 46->94 76 C:\Users\user\AppData\...\Skemadelen.exe, PE32 46->76 dropped 78 C:\ProgramData\Remcos\remcos.exe, PE32 46->78 dropped 96 Creates an undocumented autostart registry key 46->96 98 Creates autostart registry keys with suspicious names 46->98 100 Creates multiple autostart registry keys 46->100 102 Tries to detect Any.run 46->102 55 cmd.exe 46->55         started        57 remcos.exe 46->57         started        file16 signatures17 process18 process19 59 reg.exe 55->59         started        62 conhost.exe 55->62         started        signatures20 134 Disables UAC (registry) 59->134
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf1bc0e51ec2afbec5cffa1cf38e5ddcb6f9ce3aec8b737a55c8700600aa8caa/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-10 23:59:29 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4n4bzi6ykx35rop7iophds53s3pttr25sfxg6svzbyamafkrsva._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
1a6a26126907eba868eb76873864deedc4170c3da63c3bce70d7fe0d9adaeece
NanoCore
2dc3154ffa4a3fc2533b7b221f215b41d6c21b70acb780fa8f46b212cb798b94
NanoCore
4dcf685ec146dd3a0b5cf5869bbda64af27223b16963e629df4f6103c8537208
NanoCore
59513bfeaf670993430990ea716bf0f17472ee43169c1722350e345066f0e337
NanoCore
7fa4a11b501e03019ad7b90d08c297554cd7c5e9b49de7aacfba190db630e5a4
NanoCore
9c21b977acef57ad64a9b518f1469b60e5d566cb1d5a89b245b975157f7c8aa4
NanoCore
b17de6384fa619dff0fe5e40d5e8f228eff8bb9544fa73e955a12f30018b8597
NanoCore
b3c83ca8ac0be1a91267ff0c5f12e3db8b08b4fa0c8c44df69a4a358c946bbee
NanoCore
f857890d674a9d4abd8ef6d735c7c03eef0a75777c64cb4a62917d12b68dcbfa
NanoCore
+ 682 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore discovery keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230712-g8clmacb96/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
NanoCore
Malware Config
C2 Extraction:
wqqkgzmrdwxl8j.duckdns.org:23591
Unpacked files
SH256 hash:
408ad231f261f94d9baf41287124ff76896553f8638d97df5bef744e98d5ad76
MD5 hash:
77816ef437d1958d5e236fe6c7a909e3
SHA1 hash:
99a8fba004f4a13161abbb9fe90206fe5b488a23
Link:
https://www.unpac.me/results/3ee169a4-0594-4418-b3b0-7d97a9fa31ca/
SH256 hash:
cf1bc0e51ec2afbec5cffa1cf38e5ddcb6f9ce3aec8b737a55c8700600aa8caa
MD5 hash:
3db6b2e92ac7aa0b1159eb451c15d4c7
SHA1 hash:
3f1ef725082b63c51266d353a8fc6a44f589a66e
Link:
https://www.unpac.me/results/3ee169a4-0594-4418-b3b0-7d97a9fa31ca/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe cf1bc0e51ec2afbec5cffa1cf38e5ddcb6f9ce3aec8b737a55c8700600aa8caa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/416344/

Comments