MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f06a575032e67caa4508ab3a65bfc564c4686260083d2f31c0a1c9694e8bb9f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f06a575032e67caa4508ab3a65bfc564c4686260083d2f31c0a1c9694e8bb9f1
SHA3-384 hash: ff4e70dfaac55c21a23bcb79d92141c56eae6742882548234e715e455aee7404f0a098b58ed14ebfd0af6b78797be40c
SHA1 hash: 79163cd005a74e7771234342df287d6ab9d5d731
MD5 hash: 993e1596077047b2ab75c1d7d585894e
humanhash: november-oregon-maryland-four
File name:DHL AWB TRACKING DETAILS.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:497'152 bytes
First seen:2020-10-19 06:29:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:yxMGykgxs47Kpb8N1Uqdm9MUHgvOt+yQ43:yxYkqNvm9M25t+yQ4
Threatray 1'165 similar samples on MalwareBazaar
TLSH 00B4F1A617AB0197E1C1B834CF5ACAB50BB1AE26175903E631D73F0F767E5D38142B22
Reporter abuse_ch
Tags:DHL exe NanoCore


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.goofty.ml
Sending IP: 89.223.121.130
From: DHL OFFICE <dhl@goofty.ml>
Subject: DHL NOTIFICATION:- YOUR PACKAGE HAS ARRIVED ON 18/10/2020
Attachment: DHL AWB TRACKING DETAILS.PDF.z (contains "DHL AWB TRACKING DETAILS.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72722/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494926
Signature
.NET source code contains potential unpacker
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299927 Sample: DHL AWB TRACKING DETAILS.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 42 chinomso.duckdns.org 2->42 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 10 other signatures 2->52 9 DHL AWB TRACKING DETAILS.exe 2 2->9         started        12 DHL AWB TRACKING DETAILS.exe 3 2->12         started        15 dhcpmon.exe 3 2->15         started        17 dhcpmon.exe 2 2->17         started        signatures3 process4 file5 56 Injects a PE file into a foreign processes 9->56 19 DHL AWB TRACKING DETAILS.exe 1 12 9->19         started        40 C:\Users\...\DHL AWB TRACKING DETAILS.exe.log, ASCII 12->40 dropped signatures6 process7 dnsIp8 44 chinomso.duckdns.org 197.210.227.36, 7688 VCG-ASNG Nigeria 19->44 32 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->32 dropped 34 C:\Users\user\AppData\Roaming\...\run.dat, data 19->34 dropped 36 C:\Users\user\AppData\Local\...\tmp19C3.tmp, XML 19->36 dropped 38 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->38 dropped 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->54 24 schtasks.exe 1 19->24         started        26 schtasks.exe 1 19->26         started        file9 signatures10 process11 process12 28 conhost.exe 24->28         started        30 conhost.exe 26->30         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f06a575032e67caa4508ab3a65bfc564c4686260083d2f31c0a1c9694e8bb9f1/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-10-18 22:58:58 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6bvfoubs4z6kuriivm5glp6fmtcgqytaba6s6moauhewstulxhyq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
269c0be3dc659333fee54772b29e3f4accec61cb7e13fb9794f157858bcf5230
NanoCore
3a98a6f65a651d7fdc6b147ab1baceebcc31576fccb4ff4d7c516bcad6d7c20b
NanoCore
483338a656b2a7bf095d9bf3ca950419f217acdb9812b3d0013ccc13785f305e
NanoCore
56e710ea1f70626aee844269cb7197e2142908b70082908436a77e1ee4d9fce7
NanoCore
5b38a4755a8300052443ad21fe01717fe6b94ccc1a6747f9a8d8c878a8513df5
NanoCore
5e3140ed7841e6893114a0d4d9c5ee239736449aaba20d2c8939a051e5ef21c5
NanoCore
99e8759e702f1bec43e3646d6c217523a4062918226541899ba710f37c51a12c
NanoCore
c4c568a39e7d764ed403c5fa9315bfc027b578f7649fec4dda4def19848b4a8e
NanoCore
cff3d5fedc8fdab09a7b27524a02503b53f4f7378ab0a09219701d3b9c3e68f4
NanoCore
dca09e669f01dcc5efa9ab9120ce3febd53868b3ba12a6e0b4574b82b3d0e392
NanoCore
+ 1'155 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:nanocore persistence evasion
Link:
https://tria.ge/reports/201019-3q98qj9b2e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
NanoCore
Malware Config
C2 Extraction:
chinomso.duckdns.org:7688
Unpacked files
SH256 hash:
f06a575032e67caa4508ab3a65bfc564c4686260083d2f31c0a1c9694e8bb9f1
MD5 hash:
993e1596077047b2ab75c1d7d585894e
SHA1 hash:
79163cd005a74e7771234342df287d6ab9d5d731
Link:
https://www.unpac.me/results/8705f7c1-fd32-4b81-ae1b-92c51b8a1910/
SH256 hash:
9bfb73e2e4d0139d26eaa4dc1ef6a08057175d3d0aa4faafd5b132f7d0fab554
MD5 hash:
cca6179d36fe65c7c88e83c87e651b6c
SHA1 hash:
307583bc718d5c0e0c6a0599831f5a7ec941ff9f
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/8705f7c1-fd32-4b81-ae1b-92c51b8a1910/
Parent samples :
be017012e16d938d67c9ad9d42b6b5ea1c153c52fc87b7c6e60ba7840467b983
f06a575032e67caa4508ab3a65bfc564c4686260083d2f31c0a1c9694e8bb9f1
bbd2c149ff9143d0899d89674c320ae974cc430a3b7b9807eb1bc164768faea9
SH256 hash:
0d343b36e5256317c2f24067c1b125fbef724112ab2ac4acccf9e48cc6208247
MD5 hash:
5f3277e3d190fb941e8f2a408aafc434
SHA1 hash:
75518f4e53c3a377013bbd047f3f54ec057d7e33
Link:
https://www.unpac.me/results/8705f7c1-fd32-4b81-ae1b-92c51b8a1910/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f06a575032e67caa4508ab3a65bfc564c4686260083d2f31c0a1c9694e8bb9f1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z 2ef3e1f3e96c6e61a980295d87cf23ae938841a298a153d2dacad0be85b125a1

NanoCore

Executable exe f06a575032e67caa4508ab3a65bfc564c4686260083d2f31c0a1c9694e8bb9f1

(this sample)

  
Dropped by
MD5 fa2a6479dbbf784510c36c07378d6fa2
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2ef3e1f3e96c6e61a980295d87cf23ae938841a298a153d2dacad0be85b125a1
Cape
Cape
https://www.capesandbox.com/analysis/72722/

Comments