MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e77e8e6bee74e74ded1cc8ff3e83ffa7483aa2ab68af5562798ad9b18244f389. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e77e8e6bee74e74ded1cc8ff3e83ffa7483aa2ab68af5562798ad9b18244f389
SHA3-384 hash: a807dfe69ae517a702ae5bca4539ea30548294d3f5a3c6f1a467b524ea59cc976dce78d1bd5f9a1875df60b56a72445b
SHA1 hash: c1ef704654764d1913b5b68388171b396831d1df
MD5 hash: 30dca5a89b215ca475437fc41ac44c71
humanhash: four-cat-minnesota-coffee
File name:HPE#0025_PDF.vbs
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'137'670 bytes
First seen:2021-07-16 17:32:19 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:LuL6zFNHvnFYTupctipY0wy7HBZsVNxAizejHIZXuBZxbR5+lVz5I:6LGvF9c46Aiq2QZheX5I
Threatray 9'131 similar samples on MalwareBazaar
TLSH T12A3523311F2ABDE945A5AB14A4463D2D1E681ADBC344F6E6779814C9007EE408F2BCBF
Reporter abuse_ch
Tags:NanoCore vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172238/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Result
Threat name:
Nanocore AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817619
Signature
.NET source code contains very large array initializations
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected Nanocore Rat
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450030 Sample: HPE#0025_PDF.vbs Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Sigma detected: NanoCore 2->41 43 8 other signatures 2->43 7 wscript.exe 3 2->7         started        process3 file4 25 C:\Users\user\AppData\Local\Temp\name.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\file.exe, PE32 7->27 dropped 45 Benign windows process drops PE files 7->45 47 VBScript performs obfuscated calls to suspicious functions 7->47 11 name.exe 1 5 7->11         started        15 file.exe 3 7->15         started        signatures5 process6 file7 29 C:\Users\user\AppData\...\InstallUtil.exe, PE32 11->29 dropped 49 Creates an undocumented autostart registry key 11->49 51 Machine Learning detection for dropped file 11->51 53 Writes to foreign memory regions 11->53 17 InstallUtil.exe 2 11->17         started        31 C:\Users\user\AppData\Roaming\...\nott.exe, PE32 15->31 dropped 55 Injects a PE file into a foreign processes 15->55 20 InstallUtil.exe 4 15->20         started        signatures8 process9 file10 33 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->33 35 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->35 23 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 20->23 dropped signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e77e8e6bee74e74ded1cc8ff3e83ffa7483aa2ab68af5562798ad9b18244f389/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 17:33:07 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=457i427oottu33i4zd7t5a77u5edvivlncxvkytzrlm3dase6oeq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
08850fbf72cfca13717b548debdd9da9ddda61bb0d059c1242e72604ce076051
NanoCore
0cbbdd2c9615f4d2de4e0232ace6b69889a54538444838ac6616a5aa39109c98
NanoCore
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
NanoCore
699d670809bccdbbdb2ae85d80be86d6fd00586c56e0375df34527d4ec6045cf
NanoCore
87621b8c28e96dee7b183db273e1865d1ab0edad8c39ce2948a8d6c1b694ca75
NanoCore
876b731a87a9261f5f533bab8b57c6cdc23664268fe8232cb6c65adb37b99c79
NanoCore
90c16db8c607f8ea1d0ed85c003b30692128327b4593e2fb45121a564fac6c11
NanoCore
b07ef4c584528991957dfbc17e62984fe06a6ae8ab441062b3d6910bbedf36b5
NanoCore
e0fe982389456170eea35ca081a62fc9ee770a27af6058c48059b0c80b4a620a
NanoCore
+ 9'121 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210716-2laaa1nnde/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Modifies WinLogon for persistence
NanoCore
Malware Config
C2 Extraction:
sys2021.linkpc.net:11940
23.94.82.41:11940
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e77e8e6bee74e74ded1cc8ff3e83ffa7483aa2ab68af5562798ad9b18244f389

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172238/

Comments