MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0527be82e7950e363f7030e931be288c4222019e5f3876a98d6b021feb185ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0527be82e7950e363f7030e931be288c4222019e5f3876a98d6b021feb185ee
SHA3-384 hash: e57e289e1f22adb7bafde30a1deb990787f18d4dc7d0f658e48cd5a2bc98fb618ac552ee6e0d5593b4079697023b841c
SHA1 hash: ad6c7c1bdf2d70eaa9202cdb5d63ec9e0547621d
MD5 hash: e19bf323c7836e14722cdf30efffdf60
humanhash: william-lithium-ceiling-xray
File name:PURCHASE ORDER_PDF________________________________.iso
Download: download sample
Signature NanoCore
Create hunting rule
File size:493'568 bytes
First seen:2021-04-21 06:17:07 UTC
Last seen:2021-05-05 05:34:01 UTC
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:aNL2Ty0X7+9pF0y9n0u6LGHFCh45gFICrAtKM:ufA+9pFBz3lC+5v1tKM
TLSH 49A4121336D295B5E867463409708416926FBA648C31EC9F7ADC23AE0B739C5AFB0737
Reporter cocaman
Tags:DHL iso


Avatar
cocaman
Malicious email (T1566.001)
From: "<johnlay.ch support Team <support@johnlay.ch>" (likely spoofed)
Received: "from johnlay.ch (unknown [185.222.57.142]) "
Date: "4 May 2021 17:35:15 -0700"
Subject: "DHL EXPRESS SHIPMENT"
Attachment: "PURCHASE ORDER_PDF________________________________.iso"

Intelligence

File Origin
# of uploads :
6
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Iso_fs1731.UNOFFICIAL
Create hunting rule

Win.Malware.Satan-6952126-0
Create hunting rule

Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0527be82e7950e363f7030e931be288c4222019e5f3876a98d6b021feb185ee/
Threat name:
Win32.Trojan.FileinfectorX
Create hunting rule
Status:
Malicious
First seen:
2021-04-21 01:05:22 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2bjhx2bopfiogy7xamhjgg7crdcceiaz4xzyo2uy22ycd7vrqxxa._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210421-d3se6hyhqn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Executes dropped EXE
NirSoft MailPassView
Nirsoft
NanoCore
Malware Config
C2 Extraction:
rickkkkygirl.ddns.net:9560
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d0527be82e7950e363f7030e931be288c4222019e5f3876a98d6b021feb185ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso d0527be82e7950e363f7030e931be288c4222019e5f3876a98d6b021feb185ee

(this sample)

NanoCore

Executable exe 60b6d55beee9f47ef1e04a854c5e985ad5475b84a92e048432ceae4650a9e3e1

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 60b6d55beee9f47ef1e04a854c5e985ad5475b84a92e048432ceae4650a9e3e1

Comments