MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0dde788e773c61239053ee6dffff5e83043310ef27efac0f6d8275af0971b57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0dde788e773c61239053ee6dffff5e83043310ef27efac0f6d8275af0971b57
SHA3-384 hash: a2031ea7f8c9d655b463d18f109bab726a981fe505cb2974b8d92e6974c88945b24af1dae7f05347b13f8c24db22dc7b
SHA1 hash: 1b32b5e51aef92ff4cf0d86b377dc0e26795c2b5
MD5 hash: 0b934403f656857cffcff32823b6f8de
humanhash: carpet-tango-wyoming-leopard
File name:NA090900000.LzH
Download: download sample
Signature NanoCore
Create hunting rule
File size:367'911 bytes
First seen:2021-04-21 06:15:06 UTC
Last seen:2021-04-23 16:10:08 UTC
File type: zip
MIME type:application/zip
ssdeep 6144:TOxb5mvH2VUPKFlCc9+NmMH2pS0mYK2Cqqf6Xn7rIkX8WJScOkBHs/DW07/sfPmO:STUWVNhzMW809V7bAcOkBHsCo0fP1L
TLSH 0774231696EC13EB519A3437B1A0C15C286E00B46F7EA7B75DBA6772AC0410DF8349FB
Reporter cocaman
Tags:lzh


Avatar
cocaman
Malicious email (T1566.001)
From: "n.kharaishvili@ltb.ge" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [185.222.57.171]) "
Date: "20 Apr 2021 22:44:21 -0700"
Subject: "order #127"
Attachment: "NA090900000.LzH"

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Troj.Kryptik-VJ-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d0dde788e773c61239053ee6dffff5e83043310ef27efac0f6d8275af0971b57
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0dde788e773c61239053ee6dffff5e83043310ef27efac0f6d8275af0971b57/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-04-21 07:36:30 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2do6pchhopdbeoifh3tn777v5ayegmio6j7pvqhw3atvv4exdnlq._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210421-tc849f3l1x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
NanoCore
Malware Config
C2 Extraction:
185.222.57.171:4445
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/d0dde788e773c61239053ee6dffff5e83043310ef27efac0f6d8275af0971b57

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip d0dde788e773c61239053ee6dffff5e83043310ef27efac0f6d8275af0971b57

(this sample)

NanoCore

Executable exe 89a173beec574576632b98017aee8549e88ec2673fd5c3028a74f5ba2d9613b0

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 89a173beec574576632b98017aee8549e88ec2673fd5c3028a74f5ba2d9613b0

Comments