MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcb880afbaa7e57f574b4e08595ef2c1ac7100a695359c1edc9af535d7f9e64f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	dcb880afbaa7e57f574b4e08595ef2c1ac7100a695359c1edc9af535d7f9e64f
SHA3-384 hash:	4cc303108592d53cd5bd3f8db6f7a04667e29f602098ff9ea1d5bd96e28514fa2a6e8a6e14b63811081e5ed17fef7fa9
SHA1 hash:	fda0643b600efd8581a7e09cf0a2cca3283c24f4
MD5 hash:	741f49228d104bb3783842ab5ee003a3
humanhash:	social-jupiter-happy-alabama
File name:	Purchase_Order_2022172-89386-TPW-78-PH.xll
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'430'016 bytes
First seen:	2022-02-17 10:56:36 UTC
Last seen:	2022-02-17 13:02:25 UTC
File type:	xll
MIME type:	application/x-dosexec
imphash	be710ba34b048ab0098050ccf62e369c (18 x Formbook, 14 x Dridex, 9 x AgentTesla)
ssdeep	24576:503bX1XBY4ZyrE7K3yG8PeVooA/qB2KSxV2XljA36/mnjtNoSXd27O:5IV2Xlw6iLd
Threatray	31 similar samples on MalwareBazaar
TLSH	T14265E155BECA6EA1EFBF43B78361D63D1215736D03A0AACF6643059D3951EC2443EA03
Reporter	ankit_anubhav
Tags:	NanoCore xll

Intelligence

File Origin

# of uploads :

2

# of downloads :

259

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.MSIL.ajhkd.16429.24892.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/dcb880afbaa7e57f574b4e08595ef2c1ac7100a695359c1edc9af535d7f9e64f/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm greyware packed

Link:

https://www.filescan.io/uploads/620e2a05ac8ad0468b4b48b2/reports/2e9bdcf9-3f30-48ba-af39-5524cf665ae9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dcb880afbaa7e57f574b4e08595ef2c1ac7100a695359c1edc9af535d7f9e64f/

Threat name:

Win32.Trojan.XllDownloader

Status:

Malicious

First seen:

2022-02-17 10:57:15 UTC

File Type:

PE (Dll)

Extracted files:

2

AV detection:

17 of 27 (62.96%)

Threat level:

5/5

Verdict:

unknown

Similar samples:

30980176792fc176767dfd338ef7fd0b73f04b66cd63e1e3b0bbf485bc064ed4

882312787d62f8bbebd46a7ce54207ec7eced13335de9ce6ae75a0a1e52dcb09

97e21c7a37cbdb5cff93a18cce5b5495574be821d999e0e876c8be48ab56ca6e

b434e54b1f162ec9a1f9e943e8829069c8e91ff4998acdb6f0e5aa34ceee1cc4

bac03f9b60b043b72ae8548b8915dd6058c71b6beae23652389b0cb9310af91d

ce5c54ac577153e15fb793c022b54fb473752b876525111d6aac97369e72e85e

e01271da5d003c2c0c47314e9bf83fc66e2329c27e7febd768db1a4ecc45aedb

fbfaa1c4f9d13a4c6043bc66e71df3304be8bf8eec0277680c65c2bef402513b

fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

+ 21 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:nanocore evasion keylogger persistence spyware stealer suricata trojan

Link:

https://tria.ge/reports/220217-m2afkscbaq/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

NSIS installer

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

Loads dropped DLL

Executes dropped EXE

NanoCore

suricata: ET MALWARE Possible NanoCore C2 60B

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dcb880afbaa7e57f574b4e08595ef2c1ac7100a695359c1edc9af535d7f9e64f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

xll dcb880afbaa7e57f574b4e08595ef2c1ac7100a695359c1edc9af535d7f9e64f

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2046293/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample