MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1931549889314ea581a097b46eb2ccb8dbd08d7da7f7695c5eac9a6854faa3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1931549889314ea581a097b46eb2ccb8dbd08d7da7f7695c5eac9a6854faa3a
SHA3-384 hash: e70071f40f970a5c95c3f587cb3d8af027c01b34ab425d2269e0549913d482357a38e080be510ecadec14a1928213d03
SHA1 hash: 6957358bd935b3274d65496ec8a473bbc4800d8c
MD5 hash: 88ccfa05fb258c9c6c638070d5c0eed0
humanhash: xray-lion-oven-bravo
File name:Invoice 453745.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:642'048 bytes
First seen:2020-04-13 17:10:00 UTC
Last seen:2020-04-13 17:48:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:4c9NJLEcMup6DXSPqA41Wi/31PtKlVIbLw4rSXKtXIk3kpAzopgqdCMX5iTRgwmF:4crpWXWi/elIMI9Lzsnd9pPaC7F
Threatray 11'033 similar samples on MalwareBazaar
TLSH AFD4072B663CEAE5F62EBEB0500513445132FC821A71E11BDB9F3CC5C937A4BD8966C6
Reporter c_APT_ure
Tags:NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.LuheFihaA.3673.7199.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2020-04-11 13:02:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gjrksmismkouwa2bf5un2zmzog32cgx3j7xnfof5le2nbkpvi5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
125da1fd4c66a6d1a0cb3a188173e53d7cf563c1f8c6bdf157b2c4195c169466
NanoCore
160e7aaa4e51fa944fdd6634193b77be5b9f7f9f1b694b9fdfb9ae1d7d5a430c
NanoCore
166087b5c6159f9d5ec3df7b7359f111692e0b8d93182a633abeee98aab686f0
NanoCore
29c9b2df968cf06a228499ea0ff480ce413431632194333ce7b7d3083c980554
NanoCore
89c3a9a4a75c80b3552df2a5bda935056bc3a55a6f76b264645593cb966e2b74
NanoCore
c02b49e5a0261900bc7783b465f1fadfc57b622467f544904e91b2812a1a8081
NanoCore
d1af0c54eca027eb8089a7a721c88de4cd6e522c5cf3f38919249d2513174d1b
NanoCore
fb021aafa1c9baf15ea052eb0677921d08c6d4813982e9a59503975e784c1d14
NanoCore
fbec74e89895d0de9b043cecef65c5accf0224ce527caad70a016d74322e5ac9
NanoCore
ff278ebc92da79938de3a3e3efc7189862cd88d282b6a672fe94232279851be1
NanoCore
+ 11'023 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments