MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec931494834c3ba43ce8bd08f7d8caab6648dd832ee1d2973ee3a746c71d1a9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec931494834c3ba43ce8bd08f7d8caab6648dd832ee1d2973ee3a746c71d1a9a
SHA3-384 hash: 0da0f1f6e41509c88b68e594adcfb7ae61867ab54008e389e62137d692c4f078c80aa2816ade77f1ad4357be226210a1
SHA1 hash: d77a6693ae835f2aa7e17b253a5f6dd81eda79a9
MD5 hash: bad63cf4495a75d5fdc0bb8bf0653843
humanhash: pip-dakota-wyoming-iowa
File name:168__DG54535TM_Metallwarenfabrik.xlsx
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'907'359 bytes
First seen:2023-12-22 17:41:48 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 49152:IyvoiPSh2stz7ODdl8VnzQFHwN9Etog2hxtbX6F4pX:IywiPScgzqsnMuEexpu4pX
TLSH T14A9533F61EF15BE8FD51ACBE5B015F71CB1DFCB6180F49512C92B1283E97A1812883A9
TrID 60.1% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
30.9% (.ZIP) Open Packaging Conventions container (17500/1/4)
7.0% (.ZIP) ZIP compressed archive (4000/1)
1.7% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter smica83
Tags:CVE-2017-11882 HUN NanoCore xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section IDSection sizeSection name
A12153013 bytesOLE10nAtiVe
A20 bytesBPQE

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'998
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469068/
Detection(s):
SecuriteInfo.com.Malware.XML.Autoload-1.UNOFFICIAL
Create hunting rule

Sanesecurity.Shelter.Malware.BadMacro.BadOleNatEquat.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EQAndMisCasedOleNativeWasTheCaseThatTheyGaveMe.20200215.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EQEditorFBShellzLetMeBlowYourMind.20210218.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects
Link:
https://app.docguard.net/ec931494834c3ba43ce8bd08f7d8caab6648dd832ee1d2973ee3a746c71d1a9a/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embedequation exploit
Link:
https://www.filescan.io/uploads/6585ca6b6b1c24604601c380/reports/189dc400-55f3-4768-8418-f55ca8cab00b/overview
Verdict:
Malicious
Labled as:
CVE-2017-11882
Link:
https://www.hybrid-analysis.com/sample/ec931494834c3ba43ce8bd08f7d8caab6648dd832ee1d2973ee3a746c71d1a9a
Label:
Malicious
Suspicious Score:
9.8/10
Score Malicious:
99%
Score Benign:
1%
Link:
https://www.malware.ai/gui/files/?id=70bbb5b6-11e9-4e23-8181-a6a9922b524c
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ec931494834c3ba43ce8bd08f7d8caab6648dd832ee1d2973ee3a746c71d1a9a
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366343
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: NanoCore
Snort IDS alert for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1366343 Sample: 168__DG54535TM_Metallwarenf... Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 16 other signatures 2->42 7 EQNEDT32.EXE 11 2->7         started        12 EXCEL.EXE 53 12 2->12         started        process3 dnsIp4 32 bcmnursing.com 202.66.173.109, 49162, 80 NETMAGIC-APNetmagicDatacenterMumbaiIN India 7->32 34 www.bcmnursing.com 7->34 24 C:\Users\user\AppData\Roaming\word.exe, PE32 7->24 dropped 26 C:\Users\user\...\QubpyznbC7neo[1].exe, PE32 7->26 dropped 50 Office equation editor establishes network connection 7->50 52 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->52 14 word.exe 2 7->14         started        file5 signatures6 process7 signatures8 54 Detected Nanocore Rat 14->54 56 Writes to foreign memory regions 14->56 58 Allocates memory in foreign processes 14->58 60 Injects a PE file into a foreign processes 14->60 17 CasPol.exe 8 14->17         started        process9 dnsIp10 28 globron.duckdns.org 17->28 30 globron.duckdns.org 91.92.243.245, 49165, 9192 THEZONEBG Bulgaria 17->30 22 C:\Users\user\AppData\Roaming\...\run.dat, data 17->22 dropped 44 Detected Nanocore Rat 17->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->46 file11 48 Uses dynamic DNS services 28->48 signatures12
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ec931494834c3ba43ce8bd08f7d8caab6648dd832ee1d2973ee3a746c71d1a9a/
Threat name:
Document-Office.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2023-12-22 12:24:12 UTC
File Type:
Document
Extracted files:
16
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5sjrjfedjq52iphixueppwgkvnterxmdf3q5ffz64otunry5dkna._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231222-v9zz7scghn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
NanoCore
Malware Config
C2 Extraction:
globron.duckdns.org:9192
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ec931494834c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec931494834c3ba43ce8bd08f7d8caab6648dd832ee1d2973ee3a746c71d1a9a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/469068/

Comments