MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 047cd2f6c902c85b1f151b71b8c8ca23b48a1d375adf866138b7046d869a297a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 047cd2f6c902c85b1f151b71b8c8ca23b48a1d375adf866138b7046d869a297a
SHA3-384 hash: 5932e04d8993d5d0aa68ae0a240d60adeaa761ca1c5f6eaf55d9c9b38685c4214fadaaeae28b6ec9e63e636b156ef703
SHA1 hash: 13b5b7b8d6f421c1832e8be0bf660b775d0de6cf
MD5 hash: dbe5c62b4bcebb15b95a7dcfa0080f0e
humanhash: alpha-wolfram-lamp-oven
File name:Payment_Details.img
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'900'544 bytes
First seen:2020-05-01 10:27:03 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 24576:MAHnh+eWsN3skA4RV1Hom2KXMmHa3rfV0cH7s3kVpAE1W0U/GkD5:rh+ZkldoPK8Ya3nNVKE1WpV
TLSH 8B95BE027391D036FFAB92739B5AB24156BD7D250133852F23982DB9BE701B1263E763
Reporter abuse_ch
Tags:img NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: whynotmail.xyz
Sending IP: 54.38.225.41
From: Order Delivery.<gemclash@whynotmail.xyz>
Subject: Your Order Is Out For Delivery
Attachment: Payment_Details.img (contains "Payment_Details.exe")

NanoCore RAT C2:
ufok.duckdns.org:24980 (185.244.29.156)

Pointing to nvpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'168
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 10:35:46 UTC
File Type:
Binary (Archive)
Extracted files:
17
AV detection:
20 of 48 (41.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ar6nf5wjalefwhyvdny3rsgkeo2iuhjxllpymyjyw4cg3bu2ff5a._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img 047cd2f6c902c85b1f151b71b8c8ca23b48a1d375adf866138b7046d869a297a

(this sample)

NanoCore

Executable exe 947187e8b9a694ec0481df4fce6b606d7eabf1805eb7e792f7dca22e8a792daa

  
Dropping
MD5 d9d9e0ee4e78232a5ea6a4708580be5a
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 947187e8b9a694ec0481df4fce6b606d7eabf1805eb7e792f7dca22e8a792daa

Comments