MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff0b197ef34800ad007a5caedaf485af5ae523343ce8ec106d3a253d2c0a4a35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	ff0b197ef34800ad007a5caedaf485af5ae523343ce8ec106d3a253d2c0a4a35
SHA3-384 hash:	50ae2ac722d902adc0d8ce40ac945b0bbcda0becb27a91c2be807d582d4f06649bf1a4c3e7732cdd39647b5611554689
SHA1 hash:	86bc7ae9c340b916c5b81d4d7b89b27825f14d27
MD5 hash:	4fe63b1b3dd8e7b79e4a8ca5f1780a6d
humanhash:	maryland-mirror-magnesium-black
File name:	ff0b197ef34800ad007a5caedaf485af5ae523343ce8ec106d3a253d2c0a4a35
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	1'939'968 bytes
First seen:	2020-07-06 06:36:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	49152:EZMOdQQEtB9NGiGtjOlZ6SScW27YEOGGcrqTNLuq+hm:tOcBGHalZ3ScW27D9GIqpuqv
Threatray	10'801 similar samples on MalwareBazaar
TLSH	319523703705FF95C1B98B70A20191174D797EAB2530E64E7D8220FCAD92F88DB666E3
Reporter	JAMESWT_WT
Tags:	NanoCore

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/20850/

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a process with a hidden window

Unauthorized injection to a system process

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/ff0b197ef34800ad007a5caedaf485af5ae523343ce8ec106d3a253d2c0a4a35/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-07-03 00:44:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=74frs7xtjaak2ad2lsxnv5efv5nokizuhtuoyednhist2lakji2q._file

Verdict:

malicious

Label(s):

nanocorerat

agenttesla

NanoCore

a8f1b181c37984cf41eb816ec9375d0ef94a5d6dd17f846612b9c95f4129bdc4

NanoCore

b7cb60d089ef36aba7f0f58abd759a5c71f755f1b7842ce1f2acb11c4e192f0d

NanoCore

c0a03dcce1ec66a2dfb9347b2c8263782ee59e7be3844efb136561c7c4f591c6

NanoCore

c2cc66ffc0aa0e8aca95e53d21258868583a2048d0c25538c5b25b47621224b7

NanoCore

d0656a37a28efcb2d601e3684d03b3f61048e62b2338f1d0bbeb374d3858f6b2

NanoCore

d9019cb11445834f1406f08551653edc2f6f06caa32dfbf640e422c77a93f5f7

NanoCore

d9146883a7ac6f961a504acac6cd2e2a538eb102aec9c07d571541ac1ea976aa

NanoCore

edd8ffd641e14804cf56763e7369936bd9aaf2a9248dd9aaa196f8f27b416dd6

NanoCore

f2928aee1a9d89b026c0fbb75b913ad0613aa48c4539bebbc8c89e8be1ad0365

NanoCore

+ 10'791 additional samples on MalwareBazaar

Result

Malware family:

nanocore

Score:

10/10

Tags:

ransomware keylogger trojan stealer spyware family:agenttesla family:masslogger evasion family:nanocore

Link:

https://tria.ge/reports/200706-lhqm44wtdj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Loads dropped DLL

Executes dropped EXE

AgentTesla

MassLogger

MassLogger log file

NanoCore

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20850/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample