MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e224e30554ce3a83c6ef2ca1c81b50ca377486f55bed19078658578bbef844f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e224e30554ce3a83c6ef2ca1c81b50ca377486f55bed19078658578bbef844f0
SHA3-384 hash: ae19f5cfb05ab2cf3dab0cd921d8ed9e603a67d3d3ee97d681754ff7073f43bae9540c2344e18dfa332fa930c6bda172
SHA1 hash: d24802c550052b9ddab93abd4e2bb9bb5475484c
MD5 hash: 8be70917ebf56f359573be539dc5a4e3
humanhash: alaska-victor-neptune-virginia
File name:vbc.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:763'392 bytes
First seen:2020-08-28 14:50:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:CU2wBd/cpMypdPaolVso23FhmE3If1hBJ:zYMypxao2HmTrJ
Threatray 2'244 similar samples on MalwareBazaar
TLSH 86F47BC6710C7577D9260AB0C87296526AF16EA56B74882FA4CD3E5F37333F24091AB3
Reporter James_inthe_box
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/52439/
Detection(s):
SecuriteInfo.com.Fareit-FYY8BE70917EBF5.24729.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Enabling autorun
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/453634
Signature
.NET source code contains potential unpacker
Benign windows process drops PE files
Creates an undocumented autostart registry key
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 279189 Sample: vbc.exe Startdate: 28/08/2020 Architecture: WINDOWS Score: 100 72 www.fluffygiftshop.com 2->72 74 fluffygiftshop.com 2->74 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 6 other signatures 2->88 11 vbc.exe 5 2->11         started        signatures3 process4 file5 68 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 11->68 dropped 70 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 11->70 dropped 106 Tries to detect virtualization through RDTSC time measurements 11->106 108 Injects a PE file into a foreign processes 11->108 15 vbc.exe 11->15         started        18 cmd.exe 1 11->18         started        20 cmd.exe 3 11->20         started        23 cmd.exe 1 11->23         started        signatures6 process7 file8 110 Modifies the context of a thread in another process (thread injection) 15->110 112 Maps a DLL or memory area into another process 15->112 114 Sample uses process hollowing technique 15->114 116 Queues an APC in another process (thread injection) 15->116 25 explorer.exe 6 15->25 injected 30 reg.exe 1 1 18->30         started        32 conhost.exe 18->32         started        54 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 20->54 dropped 34 MpCmdRun.exe 1 20->34         started        36 conhost.exe 20->36         started        56 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 23->56 dropped 38 conhost.exe 23->38         started        signatures9 process10 dnsIp11 76 starrywriter.com 35.209.108.49, 49725, 80 GOOGLE-2US United States 25->76 78 vembanadrestaurant.com 66.235.200.147, 49738, 49739, 49740 CLOUDFLARENETUS United States 25->78 80 3 other IPs or domains 25->80 64 C:\Users\user\AppData\...\un7dkzw1bbxn.exe, PE32 25->64 dropped 66 C:\Program Files (x86)\...\un7dkzw1bbxn.exe, PE32 25->66 dropped 100 System process connects to network (likely due to code injection or exploit) 25->100 102 Benign windows process drops PE files 25->102 40 cmmon32.exe 1 17 25->40         started        44 un7dkzw1bbxn.exe 1 25->44         started        104 Creates an undocumented autostart registry key 30->104 46 conhost.exe 34->46         started        file12 signatures13 process14 file15 58 C:\Users\user\AppData\...\990logrv.ini, data 40->58 dropped 60 C:\Users\user\AppData\...\990logri.ini, data 40->60 dropped 90 Detected FormBook malware 40->90 92 Tries to steal Mail credentials (via file access) 40->92 94 Tries to harvest and steal browser information (history, passwords, etc) 40->94 98 3 other signatures 40->98 48 cmd.exe 1 40->48         started        62 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 44->62 dropped 96 Injects a PE file into a foreign processes 44->96 50 un7dkzw1bbxn.exe 44->50         started        signatures16 process17 process18 52 conhost.exe 48->52         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e224e30554ce3a83c6ef2ca1c81b50ca377486f55bed19078658578bbef844f0/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-28 14:49:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
64
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4isogbkuzy5ihrxpfsq4qg2qzi3xjbxvlpwrsb4glblyxpxyitya._file
Verdict:
malicious
Similar samples:
07f7b852dc1cd3c5527fef6c09019b723a9e17ddc6b236c16e992784940b7a81
NanoCore
129d2b74553bc4da544e243a8e44cb7caf3b446ba23a32ed7279fe2dfeae9878
NanoCore
13e11d298269b106ef9529e7cd3c659bc59b4acb040f521a682f55e49c4ae7a9
NanoCore
1e82d551bb0693edad6a527c0355b59476d25afc326168b616205fe186ca5a30
NanoCore
23486053a77b3b37f7323a6bd6941ec13d341fc553bcb0675b475cef4392c894
NanoCore
2b9703840cea3c427f1abf8ec784be06107fe7db48e1921c427b8a8a4254bda5
NanoCore
70ecffff57ecd39682bc7de003d937b43d0b0c9bfaadd315d236627475608e54
NanoCore
7f9c9b969cacb0ea5d679baff92d33438a27ecb67786022aa03f9f43a4ce56f4
NanoCore
f3c6e6f5bf996841cc3777b0b3769e2092e5a85ad110b46764b45c3681793874
NanoCore
f7321d982e89fafff68c30ca74dbc1612466c4385a51a0a7b203641e31b27c26
NanoCore
+ 2'234 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat persistence trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200828-rwydn98y2a/
Behaviour
Modifies Internet Explorer settings
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joom-new3.info/mzg/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e224e30554ce3a83c6ef2ca1c81b50ca377486f55bed19078658578bbef844f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/52439/
  
URLhaus
https://urlhaus.abuse.ch/url/446048/

Comments