MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5fefea8edb768f5a72cbe2e312098cc2d3ef3894e8c7ba8acab776093e6d9fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5fefea8edb768f5a72cbe2e312098cc2d3ef3894e8c7ba8acab776093e6d9fe
SHA3-384 hash: a341ecee8f7727ea066ab22da020d6fd0aba69bd4fe53e7c5a4eb5a604ac3d2c7bbbba5a71bdd5f48d441130383629ed
SHA1 hash: 7033f047f6a34de7033ca500d612228da5acf965
MD5 hash: 8b6661c5451ab98f0dfdc836b04f39f7
humanhash: robert-hot-leopard-fanta
File name:8b6661c5451ab98f0dfdc836b04f39f7.doc
Download: download sample
Signature NanoCore
Create hunting rule
File size:309'602 bytes
First seen:2020-05-06 16:38:28 UTC
Last seen:Never
File type:Word file doc
MIME type:text/rtf
ssdeep 1536:mwSTPByjtHv9YH9gs6o/a6kRQ+GbUZhyf6mQgaeeVhMDw5wfLN:mF57aRDAw5wf5
Threatray 1'150 similar samples on MalwareBazaar
TLSH E06458E820C78A50E655A528E9C4F58D05B2B5E770C84DB853EFF8739E59FD02E8818F
Reporter abuse_ch
Tags:doc NanoCore nVpn RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Exploit-RTF-Dropper-1.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilRTF.CommonLure.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD.RTFSTR.SCRIPTLET.200421.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Script-VBS.Exploit.CVE-2017-8570
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 05:31:00 UTC
File Type:
Document
Extracted files:
10
AV detection:
17 of 48 (35.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2x7p5khnw5upljzmxyxdcieyzqwt544jj2ghxkfmvn3wbe7g3h7a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd
NanoCore
3f4906997a52eb2fd4ee5341cc7acadbb66397a2edd75d2781770ede1e14dbef
NanoCore
4492477085185c93963a539b53e4b5b13039562d20131a9a6764c62acf1c8e25
NanoCore
4ebbe65cfe80f43324e007ecd5a4ae3ce57b0d07873df267e70d2355f06a8199
NanoCore
55aefb224ad3c9381b95d6c131b58141aeea9e59046eae8b53968a274108cfa8
NanoCore
8490e3d97ac25a9e1e87a0270a30076cc38b75ca705e28d5c78b93968b0231fb
NanoCore
86432e782ec0089c5cc180a225cf8aff59409c0ef773c0e10e6ddf898b0508bd
NanoCore
8ee9784e9c874e7b40e667115655e0965420c5233238ca1499cdd7c25c79dc6c
NanoCore
91966b77a6acc2fd64c773d8797a505c40ecd272ebb4b44a5757990b5e4939c5
NanoCore
c8718b1795499f8f6958c2665914bd1320a4a3a6b039f00d19ab7ca283ffb968
NanoCore
+ 1'140 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-3k33xf1sfn/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
NTFS ADS
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Retefe
Create hunting rule
Author:bartblaze
Description:Retefe
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:win_alina_pos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_gootkit_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

NanoCore

Word file doc d5fefea8edb768f5a72cbe2e312098cc2d3ef3894e8c7ba8acab776093e6d9fe

(this sample)

NanoCore

Executable exe 0e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd

  
URLhaus
https://urlhaus.abuse.ch/url/358984/
  
Dropping
SHA256 0e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd
  
Dropping
MD5 97cf08e91c6787be06aa7c2dcc36c9af

Comments