MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 193469816e8dc1ea95649fb6ceea55924d893589a4784f9b2396dc386394e09e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 193469816e8dc1ea95649fb6ceea55924d893589a4784f9b2396dc386394e09e
SHA3-384 hash: 145529f1dc28cba4300a999740f9080adedd18f18b5fe7c799028c54a2f88bccad73aa94b710339e0b658993695bff10
SHA1 hash: c02cd0ab2e18fdcc8eb0619fbfcb9985fc347117
MD5 hash: a3632b05867a2291f77e10c4caeb1bcb
humanhash: august-eight-kentucky-table
File name:BILLING STATEMENT 0342.PDF.LZH
Download: download sample
Signature NanoCore
Create hunting rule
File size:968'495 bytes
First seen:2020-07-20 09:21:53 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 24576:e5bUGmJplBXETcoBrVdZWfoSdjKUz99Bmkdkz3MjSkk3M:e5bUGAp4cGZXATO33M
TLSH 9425333B7833B12589D58CF2519FCB258077C099E709C89980FB272769FC725A8F64B9
Reporter abuse_ch
Tags:lzh NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: hermancarlo.com
Sending IP: 162.210.98.146
From: SAMERAC GROUP EU <sameracmanila@yahoo.com>
Subject: RE: BILLING STATEMENT
Attachment: BILLING STATEMENT 0342.PDF.LZH (contains "BILLING STATEMENT 0342.PDF.exe")

NanoCore RAT C2:
leewardmarineservices.mywire.org:54985 (91.193.75.22)

Pointing to nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@privacyfirst.sh'

inetnum: 91.193.75.0 - 91.193.75.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
abuse-c: ACRO34258-RIPE
mnt-by: PRIVACYFIRST-MNT
mnt-by: RIPE-NCC-END-MNT
status: ASSIGNED PI
org: ORG-KHd1-RIPE
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2020-07-15T15:25:07Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/193469816e8dc1ea95649fb6ceea55924d893589a4784f9b2396dc386394e09e/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 09:23:08 UTC
AV detection:
21 of 48 (43.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=de2gtalorxa6vflet63m52svsjgysnmjur4e7gzds3odqy4u4cpa._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/193469816e8dc1ea95649fb6ceea55924d893589a4784f9b2396dc386394e09e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 193469816e8dc1ea95649fb6ceea55924d893589a4784f9b2396dc386394e09e

(this sample)

NanoCore

Executable exe 7b6c1b2aaa6f7f89812ed6be3f275ff5de8827c61b14372242a617604baa0e8c

  
Dropping
MD5 ed30a62c9c2e90f2157ef060db76b211
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 7b6c1b2aaa6f7f89812ed6be3f275ff5de8827c61b14372242a617604baa0e8c

Comments