MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d057f1dfbb4300f6b2f7bd3615b2c11ac3b28cae1275f43f8b3a5d1e5a3c0b80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d057f1dfbb4300f6b2f7bd3615b2c11ac3b28cae1275f43f8b3a5d1e5a3c0b80
SHA3-384 hash: e65953e10d9b0923a1bfa52ab13a1f08874cdbef213ee4d635079bf45a170c9f48def4d0132f66648337ff1eb4d5f55a
SHA1 hash: f5b24f48be74cc4e8806353fd44b8d259f56a7e9
MD5 hash: 3f4bf067d95fff883f1c3899a7f53235
humanhash: oregon-potato-zulu-carbon
File name:d057f1dfbb4300f6b2f7bd3615b2c11ac3b28cae1275f43f8b3a5d1e5a3c0b80
Download: download sample
Signature NanoCore
Create hunting rule
File size:442'336 bytes
First seen:2022-06-17 10:08:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:FNeZOYc2grYUxfAcN4vSsWhxy3Kc3DVEmncO2qZjG+awEIX:FNbYclN7hNc3D5cYG+awEIX
TLSH T13694F1023840A191C779473375D3AA399B36FCB782F5CA4721C8BF1B79F32A1661664E
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 686cbe94505848c4 (1 x NanoCore)
Reporter adrian__luca
Tags:exe NanoCore signed

Code Signing Certificate

Organisation:Lilina4 BRIDGET
Issuer:Lilina4 BRIDGET
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-27T12:53:47Z
Valid to:2023-05-27T12:53:47Z
Serial number: -6f98586eeda66963
Thumbprint Algorithm:SHA256
Thumbprint: 50979c848165cec148276fee662b7d2f6c42173d831ac49f709f600ee9776858
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d057f1dfbb4300f6b2f7bd3615b2c11ac3b28cae1275f43f8b3a5d1e5a3c0b80
Verdict:
Malicious activity
Analysis date:
2022-06-17 10:09:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/28a86d1a-8dd0-444d-823f-1c131aacbe99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280948/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% directory
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21703/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader nemesis overlay packed shell32.dll wacatac
Link:
https://www.filescan.io/uploads/62ac52c07046ab63f8784ba7/reports/33ff5ba3-782c-450e-96b5-2168acdb8f91/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4d89905-9516-4685-a61a-10505ac5a119
Result
Threat name:
NanoCore, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1015092
Signature
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 647585 Sample: QU76Q3WDzp.exe Startdate: 17/06/2022 Architecture: WINDOWS Score: 88 38 press042.linkpc.net 2->38 40 googlehosted.l.googleusercontent.com 2->40 42 2 other IPs or domains 2->42 56 Multi AV Scanner detection for submitted file 2->56 58 Sigma detected: NanoCore 2->58 60 Yara detected GuLoader 2->60 62 2 other signatures 2->62 9 QU76Q3WDzp.exe 23 2->9         started        13 CasPol.exe 4 2->13         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\...\System.dll, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\Temp\7z.exe, PE32+ 9->36 dropped 64 Writes to foreign memory regions 9->64 66 Tries to detect Any.run 9->66 15 CasPol.exe 17 9->15         started        20 CasPol.exe 9->20         started        22 conhost.exe 13->22         started        signatures6 process7 dnsIp8 44 drive.google.com 142.250.181.238, 443, 49749 GOOGLEUS United States 15->44 46 googlehosted.l.googleusercontent.com 142.250.186.161, 443, 49755 GOOGLEUS United States 15->46 48 press042.linkpc.net 91.192.100.17, 4817, 49757, 49758 AS-SOFTPLUSCH Switzerland 15->48 30 C:\Users\user\AppData\Roaming\...\run.dat, data 15->30 dropped 32 C:\Users\user\AppData\Local\...\tmpD60E.tmp, XML 15->32 dropped 50 Tries to detect Any.run 15->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->52 24 schtasks.exe 1 15->24         started        26 conhost.exe 15->26         started        54 Uses schtasks.exe or at.exe to add and modify task schedules 20->54 file9 signatures10 process11 process12 28 conhost.exe 24->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d057f1dfbb4300f6b2f7bd3615b2c11ac3b28cae1275f43f8b3a5d1e5a3c0b80/
Threat name:
Win32.Trojan.Shelsy
Create hunting rule
Status:
Malicious
First seen:
2022-05-27 16:36:57 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2bl7dx53imapnmxxxu3blmwbdlb3fdfocj27ip4lhjor4wr4boaa._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:nanocore downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220617-l6sbhsbedq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
press042.linkpc.net:4817
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/9555ce51-9f31-4cbf-b751-c7abcedc1d50/
SH256 hash:
d057f1dfbb4300f6b2f7bd3615b2c11ac3b28cae1275f43f8b3a5d1e5a3c0b80
MD5 hash:
3f4bf067d95fff883f1c3899a7f53235
SHA1 hash:
f5b24f48be74cc4e8806353fd44b8d259f56a7e9
Link:
https://www.unpac.me/results/9555ce51-9f31-4cbf-b751-c7abcedc1d50/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d057f1dfbb4300f6b2f7bd3615b2c11ac3b28cae1275f43f8b3a5d1e5a3c0b80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/280948/

Comments