MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea3d85d72960edd0ce292bfdbd190f4a1d2fb1506213d93e1a87e14b72278343. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea3d85d72960edd0ce292bfdbd190f4a1d2fb1506213d93e1a87e14b72278343
SHA3-384 hash: 1993e8e8bb576232ead6426cd3360b273d3b9360d066ca2ecf5cd508b44f8dc9a9d996bda694fa387b5bdbca9dd9b7f6
SHA1 hash: f1b6f72fcdb24b2a09b43df4948b5574d530b6ff
MD5 hash: f77021eed67c954c84ef0df5c54bb8cc
humanhash: washington-spaghetti-finch-ohio
File name:New Order 1.doc
Download: download sample
Signature NanoCore
Create hunting rule
File size:133'066 bytes
First seen:2024-01-12 13:16:57 UTC
Last seen:2024-01-12 15:17:11 UTC
File type:Word file doc
MIME type:text/rtf
ssdeep 768:KwAbZSibMX9gRWjtwAbZSibMX9gRWjKN7z4zqohRT741tt0SL85CFwji0J:KwAlRkwAlRD+hZ741tt0jjN
TLSH T158D3AC6DD34B02598F520337AB1B1E5542BDBA7EF34452B1346C533933EAC39A2262BD
Reporter e24111111111111
Tags:AgentTesla CVE-2017-11882 doc NanoCore new order rtf


Avatar
e24111111154168
New Order 508/2024
info@sdprecisebioscience.com [info@sdprecisebioscience.com]
Στάλθηκε: Πέμπτη, 11 Ιανουαρίου 2024 13:14
Συνημμένα:
New Order 1.doc‎ (130 KB‎)


Good morning,

I wish you from the bottom of my heart a happy new year, with health and
happiness.

Attached is a new order 508/2024.


Please confirm price and delivery date.

Please let us know if there is a possibility of delivery before the date
specified in the order .

With Best Regards,
Vinay.
SD PRECISE BIOSCIENCE

2151, Mandi Extn.,Bawana Road,
Narela,Delhi-110040, INDIA.
Skype: precisebio
Board: 011-27281157
Cell: +91-9312322165
Email : info@sdprecisebioscience.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
384
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
f1b6f72fcdb24b2a09b43df4948b5574d530b6ff.rtf.tar.gz
Verdict:
Malicious activity
Analysis date:
2024-01-11 15:09:52 UTC
Tags:
loader exploit cve-2017-11882 nanocore rat remote
Link:
https://app.any.run/tasks/6ccddd16-9e1f-454f-ac49-f1fffc7f2443

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.29015.RtfHeur.Msg.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28765.RtfHeur.ObjUpd.UNOFFICIAL
Create hunting rule

Sanesecurity.Shelter.Malware.BadRtf.ObjUpd.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilRTF.CommonLure.UNOFFICIAL
Create hunting rule

MiscreantPunch.RTF.2017-0199.Obfus.171711.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.RoomService.20230808.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching a process
Creating a window
DNS request
Creating a file in the %AppData% directory
Сreating synchronization primitives
Sending an HTTP GET request
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Fake RTF File
Link:
https://app.docguard.net/ea3d85d72960edd0ce292bfdbd190f4a1d2fb1506213d93e1a87e14b72278343/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embedequation exploit packed shellcode
Link:
https://www.filescan.io/uploads/65a13bda94d1aebfb29b74ca/reports/9c5f6068-b76a-4461-9892-48ef691c359a/overview
Verdict:
Malicious
Labled as:
CVE-2017-11882
Link:
https://www.hybrid-analysis.com/sample/ea3d85d72960edd0ce292bfdbd190f4a1d2fb1506213d93e1a87e14b72278343
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=64007c7f-9094-4d9a-aae9-5a5a396e82b4
Result
Verdict:
MALICIOUS
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1373744
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Document exploit detected (process start blacklist hit)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1373744 Sample: New_Order_1.doc Startdate: 12/01/2024 Architecture: WINDOWS Score: 100 86 Snort IDS alert for network traffic 2->86 88 Multi AV Scanner detection for domain / URL 2->88 90 Found malware configuration 2->90 92 22 other signatures 2->92 9 WINWORD.EXE 291 15 2->9         started        12 taskeng.exe 1 2->12         started        14 smtpsvc.exe 2->14         started        process3 file4 68 ~WRF{86F822BF-747F...3-326B24D53F39}.tmp, Composite 9->68 dropped 17 EQNEDT32.EXE 11 9->17         started        22 linc26340.exe 12->22         started        24 smtpsvc.exe 12->24         started        106 Adds a directory exclusion to Windows Defender 14->106 108 Injects a PE file into a foreign processes 14->108 26 powershell.exe 14->26         started        28 smtpsvc.exe 14->28         started        signatures5 process6 dnsIp7 70 link.blueyonderllc.top 172.67.183.155, 49162, 80 CLOUDFLARENETUS United States 17->70 64 C:\Users\user\AppData\Roaming\linc26340.exe, PE32 17->64 dropped 66 C:\Users\user\AppData\Local\...\linczx[1].exe, PE32 17->66 dropped 94 Office equation editor establishes network connection 17->94 96 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 17->96 30 linc26340.exe 1 8 17->30         started        98 Detected Nanocore Rat 22->98 100 Adds a directory exclusion to Windows Defender 22->100 102 Injects a PE file into a foreign processes 22->102 33 powershell.exe 22->33         started        35 linc26340.exe 22->35         started        37 linc26340.exe 22->37         started        39 powershell.exe 24->39         started        41 smtpsvc.exe 24->41         started        43 smtpsvc.exe 24->43         started        45 3 other processes 24->45 104 Powershell uses Background Intelligent Transfer Service (BITS) 26->104 file8 signatures9 process10 signatures11 110 Antivirus detection for dropped file 30->110 112 Multi AV Scanner detection for dropped file 30->112 114 Detected unpacking (changes PE section rights) 30->114 120 5 other signatures 30->120 47 linc26340.exe 1 12 30->47         started        52 powershell.exe 4 30->52         started        116 Powershell uses Background Intelligent Transfer Service (BITS) 33->116 118 Detected Nanocore Rat 35->118 process12 dnsIp13 72 tzitziklishop.ddns.net 47->72 74 tzitziklishop.ddns.net 103.114.104.158, 1664, 49165, 49166 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 47->74 58 C:\Program Files (x86)\...\smtpsvc.exe, PE32 47->58 dropped 60 C:\Users\user\AppData\Roaming\...\run.dat, data 47->60 dropped 62 C:\Users\user\AppData\Local\...\tmp2FE7.tmp, XML 47->62 dropped 76 Detected Nanocore Rat 47->76 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->78 54 schtasks.exe 47->54         started        56 schtasks.exe 47->56         started        80 Installs new ROOT certificates 52->80 82 Powershell uses Background Intelligent Transfer Service (BITS) 52->82 file14 84 Uses dynamic DNS services 72->84 signatures15 process16
Score:
99%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/ea3d85d72960edd0ce292bfdbd190f4a1d2fb1506213d93e1a87e14b72278343
Detection:
cve-2017-11882-shellcode
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ea3d85d72960edd0ce292bfdbd190f4a1d2fb1506213d93e1a87e14b72278343/
Threat name:
Document-RTF.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2024-01-12 13:17:05 UTC
File Type:
Document
Extracted files:
3
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5i6ylvzjmdw5btrjfp632gipjios7mkqmij5spq2q7quw4rhqnbq._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240112-qjdxtsgfdq/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
NanoCore
Malware Config
C2 Extraction:
tzitziklishop.ddns.net:1664
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea3d85d72960/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea3d85d72960edd0ce292bfdbd190f4a1d2fb1506213d93e1a87e14b72278343

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_RTF_MalVer_Objects
Create hunting rule
Author:ditekSHen
Description:Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Rule name:SUSP_INDICATOR_RTF_MalVer_Objects
Create hunting rule
Author:ditekSHen
Description:Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.
Reference:https://github.com/ditekshen/detection

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Word file doc ea3d85d72960edd0ce292bfdbd190f4a1d2fb1506213d93e1a87e14b72278343

(this sample)

NanoCore

Executable exe 2aef241c8c48579042670ef2dc6f1cf81fb9b83528c00332daae95950e97dd41

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2aef241c8c48579042670ef2dc6f1cf81fb9b83528c00332daae95950e97dd41
  
Dropping
MD5 9d285823ad7aa977bd20fd0ff377b896

Comments