MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eba0abe9461df84c76949df2d559f66b0379cbdbd430f8db884c55d0aa469980. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eba0abe9461df84c76949df2d559f66b0379cbdbd430f8db884c55d0aa469980
SHA3-384 hash: b1f42339aa41947832faddb813ae9d70532c3d2e1b03d5b9c01640741bbc2e0d9e7e27552c22f494e3e492c12cad6cae
SHA1 hash: da267ad7c11acb864db25a561fea1e2cc3663fd0
MD5 hash: 3beaa725263104d4638eb877a7d0b37d
humanhash: undress-nineteen-pasta-purple
File name:Invoice# 77-84993-84929.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'082'880 bytes
First seen:2021-01-13 20:16:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:pVTN1bAVAo+sZ5Ox7NJEAebUfl0u/r3qEO5CLTvaskuDKUZ:HNG6o+Py+25C/asxJZ
Threatray 47 similar samples on MalwareBazaar
TLSH 9D35124133584F62C13EABF9453A514507F1BA269473E24C8FC198EF4AA8FE58AD8F17
Reporter abuse_ch
Tags:exe NanoCore


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: www2040.sakura.ne.jp
Sending IP: 59.106.171.50
From: shouhei@suzukakawakita.co.jp
Reply-To: aggreko@emirates.net.ae
Subject: Fwd:Re:Re:Re: Notice on the above Invoice #756-77988-23989646
Attachment: Invoice 77-84993-84929.zip (contains "Invoice# 77-84993-84929.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice# 77-84993-84929.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 05:34:24 UTC
Tags:
rat nanocore
Link:
https://app.any.run/tasks/deb033eb-69db-45f9-8e51-bde36b8135a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111861/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Connection attempt
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/580628
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eba0abe9461df84c76949df2d559f66b0379cbdbd430f8db884c55d0aa469980/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2021-01-13 20:17:15 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5oqkx2kgdx4ey5uutxznkwpwnmbxts632qyprw4ijrk5bksgtgaa._file
Verdict:
unknown
Similar samples:
1d12e0ea21ddb6f39d309e836c5f8e2c3fcfd4c167b20185ca3723233230bb8b
NanoCore
495955225d3f8b7ee34f7f194685ac06621f177e25aca6bde09d038b0a2afd74
NanoCore
5024f86a2a158f964ce6833a7920c53e7962d0db4a542f4656267f46b55a57ef
NanoCore
738e16b6660e32ed957f9fd9e0c5cea56b1aaa7695bcdb56998ca9866071e32b
NanoCore
767b1b32d4ac4cec73967590ca5b28c3e0f4d709c0773e3f4021774f15a2483a
NanoCore
7b2e9f16b557d194f079e970dac923105073eb2aed4b63960c05d5c4bb816184
NanoCore
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290
NanoCore
b8d2de495b9ec7f42b0f25b1fc532915a4378b683daafb1ecb5171624ea7a83c
NanoCore
c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
NanoCore
fd16b4767d7764fde593f6b7d6449ccb233c18270bf45d67edde500c5028dc94
NanoCore
+ 37 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210113-yhqbyretns/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
NanoCore
Unpacked files
SH256 hash:
eba0abe9461df84c76949df2d559f66b0379cbdbd430f8db884c55d0aa469980
MD5 hash:
3beaa725263104d4638eb877a7d0b37d
SHA1 hash:
da267ad7c11acb864db25a561fea1e2cc3663fd0
Link:
https://www.unpac.me/results/6fb553eb-b5c1-41b4-9915-d49db5c4ff8d/
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/6fb553eb-b5c1-41b4-9915-d49db5c4ff8d/
SH256 hash:
a4ec07da5b0cb5b27f4abe2154019d77d2c651f3aeee3e62a5284fe793634b5c
MD5 hash:
1b2ab0fe52c61f4827e5762df11c2065
SHA1 hash:
6a6614f9b8d166bca2753ecdc03cf9d9d8eb6130
Link:
https://www.unpac.me/results/6fb553eb-b5c1-41b4-9915-d49db5c4ff8d/
SH256 hash:
224aab4e78a01b4b8526f6a7a08165d6703771041d2e1a5157e04525d5f73b75
MD5 hash:
032b7a230eb24e53cfa66d1d9334bb88
SHA1 hash:
d4f34eb53beb18ec8db5295aa85f7bc666eb38b5
Link:
https://www.unpac.me/results/6fb553eb-b5c1-41b4-9915-d49db5c4ff8d/
SH256 hash:
8676ca30e00154d82085129244e8aacccefb157833b571a78754a07326a404f6
MD5 hash:
baf5cb22d38bf2ee41a5bf928ee2a938
SHA1 hash:
2441e14f04866fe84fb68f99afd39aa795c19349
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/6fb553eb-b5c1-41b4-9915-d49db5c4ff8d/
SH256 hash:
2abc66806df0281c88b2be66e2c45649717ea13c3cdd3808a1a9fc1738e9a098
MD5 hash:
1e904859805f5f791a26e8108415f16e
SHA1 hash:
67886f9f324c9c565b938f5ac57d6e69e6094455
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/6fb553eb-b5c1-41b4-9915-d49db5c4ff8d/
SH256 hash:
5dae3294627954ecbae6ebd29e36800f8e36aba506db1a8fba640c2989f7dd96
MD5 hash:
401c35c5f4b53f2a172dff5bea1e8706
SHA1 hash:
d15f289630a6a1e8dcf0362e0080553249db5995
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/6fb553eb-b5c1-41b4-9915-d49db5c4ff8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eba0abe9461df84c76949df2d559f66b0379cbdbd430f8db884c55d0aa469980

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 037fd0f2de0d71ef8f39d3ac237f3eab818146a6fd7d72b3241feb5296c32b24

NanoCore

Executable exe eba0abe9461df84c76949df2d559f66b0379cbdbd430f8db884c55d0aa469980

(this sample)

  
Dropped by
MD5 22e85a6eaf5155d42ab4b6a0accc1068
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111861/
  
Dropped by
SHA256 037fd0f2de0d71ef8f39d3ac237f3eab818146a6fd7d72b3241feb5296c32b24

Comments