MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29a3a0ef317bb59a49d3bf83bfb7fc38b11544882d2255cb010aa753753223d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29a3a0ef317bb59a49d3bf83bfb7fc38b11544882d2255cb010aa753753223d3
SHA3-384 hash: 2cc8f6bca741d88c42177962fd10fce2318433beb471edcc32d3b1d0f7fc35ae5082275eb8194a2ed0cffd9f8e44a363
SHA1 hash: 535116f8e9176f4e56f8518cca1dcba575b381b2
MD5 hash: 8e304813bc791b856e2b0da8f5c66471
humanhash: nuts-jig-wolfram-fix
File name:MSKU2271780 Shipment Documents.iso
Download: download sample
Signature NanoCore
Create hunting rule
File size:483'328 bytes
First seen:2020-05-14 06:37:23 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 6144:qq0k/KP5cVYZzsgTgKLqGDQjphueHG1zLSl7eQ2ssCIQESdmoubM8Tp:tKP5cV+5gKLfDQNw1zLq7e9OESsoubM
TLSH 44A4BE1137BD1775E4BA8BF85992A060C7B1725A34ADD37D9CC824CA1BE2F80CA45E37
Reporter abuse_ch
Tags:iso NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: ns3.aksaakustik.com
Sending IP: 176.53.17.115
From: shipping <admin@sesizolasyonu.net>
Subject: Re: Notification For Container Dummurage ~ MSKU2271780 / Shipment Documents
Attachment: MSKU2271780 Shipment Documents.iso (contains "MSKU2271780 Shipment Documents.exe")

NanoCore RAT C2:
mail.privateemail.com:5050 (185.165.153.33)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-14 04:16:51 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
13 of 31 (41.94%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgr2b3zrpo2zusotx6b37n74hcyrkreifurflsybbktvg5jsepjq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso 29a3a0ef317bb59a49d3bf83bfb7fc38b11544882d2255cb010aa753753223d3

(this sample)

NanoCore

Executable exe d65d472ac1f0c4dabfeba86c0c312218ccbcb612c7775edb3f85a89682471f29

  
Dropping
MD5 84b6eaf1fed93af9351f3e54714cd624
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 d65d472ac1f0c4dabfeba86c0c312218ccbcb612c7775edb3f85a89682471f29

Comments