MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbc5a1e5f8a02c644cf207d40885c7973dc7e4809b97f676927da3e13e17ed1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 8

Intelligence 8 IOCs YARA 19 File information Comments

SHA256 hash:	fbc5a1e5f8a02c644cf207d40885c7973dc7e4809b97f676927da3e13e17ed1f
SHA3-384 hash:	dc862a646f49700b31fff2d63af4b9f3265528883f4187c1ac025cffc2b4fde8c1de7ccde9a0bc8e7b55dffbfbeed0e4
SHA1 hash:	ca29113b7607ecb7d9a65d8285d7d36f367b1cd0
MD5 hash:	fcf52f96d96c68788ffe13fcccd4c89c
humanhash:	jig-pizza-batman-lamp
File name:	Invoice No F1019855_PDF.vbs
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	2'072'856 bytes
First seen:	2021-05-11 17:02:34 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	24576:b+Ve64mPEkJd1XpdQ5YImc4yFNkVQtJpE5821c5+D5PTxrpWhFcW1Gi/zQSov0FF:bIz4ToQsx46J/0
Threatray	1 similar samples on MalwareBazaar
TLSH	FAA5B472D305F3DA7C3DB4868385B1EF6C606B02A5744F34F59F7A4102E6AA9DA3124E
Reporter	abuse_ch
Tags:	NanoCore RAT vbs

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AsyncRat

Link:

https://www.capesandbox.com/analysis/155173/

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Result

Threat name:

Nanocore AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/778933

Signature

.NET source code contains potential unpacker

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected Nanocore Rat

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: NanoCore

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

VBScript performs obfuscated calls to suspicious functions

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected Nanocore RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fbc5a1e5f8a02c644cf207d40885c7973dc7e4809b97f676927da3e13e17ed1f/

Threat name:

Script-WScript.Trojan.Heuristic

Status:

Malicious

First seen:

2021-05-11 17:03:14 UTC

AV detection:

10 of 47 (21.28%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7pc2dzpyuawgithsa7karbohs464pzeatol7m5uspwr6cpqx5upq._file

Verdict:

unknown

NanoCore

Result

Malware family:

nanocore

Score:

10/10

Tags:

family:asyncrat family:nanocore evasion keylogger rat spyware stealer trojan

Link:

https://tria.ge/reports/210511-gyha7m9322/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Maps connected drives based on registry

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Looks for VMWare Tools registry key

Async RAT payload

Looks for VirtualBox Guest Additions in registry

AsyncRat

Contains code to disable Windows Defender

NanoCore

Malware Config

C2 Extraction:

sys2021.linkpc.net:11940
191.96.25.26:11940

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fbc5a1e5f8a02c644cf207d40885c7973dc7e4809b97f676927da3e13e17ed1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NanoCore Create hunting rule
Author:	abuse.ch

Rule name:	asyncrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	Choice_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	INDICATOR_SUSPICIOUS_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing artifcats associated with disabling Widnows Defender

Rule name:	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse Create hunting rule
Author:	ditekSHen
Description:	Detects file containing reversed ASEP Autorun registry keys

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	Nanocore Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Nanocore in memory
Reference:	internal research

Rule name:	nanocore_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Nanocore_RAT_Feb18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Nanocore RAT
Reference:	Internal Research - T2T

Rule name:	Nanocore_RAT_Gen_2 Create hunting rule
Author:	Florian Roth
Description:	Detetcs the Nanocore RAT
Reference:	https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Rule name:	pe_imphash Create hunting rule

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_asyncrat_j1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects AsyncRAT

Rule name:	win_asyncrat_w0 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	win_nanocore_w0 Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/155173/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample