MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 372bbae4e9a976f25e1b8e146ef0bff34fe7649d9ae96bb4b9377d5b031a4c07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 372bbae4e9a976f25e1b8e146ef0bff34fe7649d9ae96bb4b9377d5b031a4c07
SHA3-384 hash: a736dca7654b50ad98f26e82c739d06f2dc1a7f8cca248d10d28c5e4a021cde03872b98f3847d9d55e097481aa92b681
SHA1 hash: 71ccf393ce4dfddb8b688d7455e2caea67ada8c3
MD5 hash: 4388e33559335bf85961178c8b249cfa
humanhash: massachusetts-august-yellow-wyoming
File name:Invoice ML 236917.img.z.zip
Download: download sample
Signature NanoCore
Create hunting rule
File size:479'525 bytes
First seen:2020-06-19 06:51:54 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:d01+2fmI7pZ0ycMEROJNr/M4du3fVdHqMNvJySEBpQ0bi3v6dC0:d01+zI78ZH6NYH/VySSmj/6g0
TLSH 5BA42374D38301317585BB1EE25AD5ECF56EECD8FD099B0614460E8392C6DD89838BBC
Reporter abuse_ch
Tags:NanoCore nVpn RAT zip


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: spangles.serversfarm.com
Sending IP: 101.53.157.186
From: Accounts <chugas@glropes.com>
Subject: Fw: Payment Advice-97
Attachment: Invoice ML 236917.img.z.zip (contains "Invoice ML 236917.img.exe")

NanoCore RAT C2:
185.244.30.209:8366

Hosted on nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@FOS-VPN.org'

inetnum: 185.244.30.0 - 185.244.30.255
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: 185.244.30.0/24 belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
country: EU
org: ORG-SL751-RIPE
admin-c: SL12644-RIPE
tech-c: SL12644-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-06-03T09:20:12Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Variant.Graftor.775012.17510.17428.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.24016.ZipHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.21103.ZipHeur.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-19 06:53:03 UTC
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g4v3vzhjvf3pexq3rykg54f76nh6oze5tluwxnfzg56vway2jqdq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 372bbae4e9a976f25e1b8e146ef0bff34fe7649d9ae96bb4b9377d5b031a4c07

(this sample)

NanoCore

Executable exe bd23c3a3d5215798a115525fe15803ee5f4393ae77d49e081770761beecb14ea

  
Dropping
MD5 87bc68460f77a752c7bf66b5c9724426
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 bd23c3a3d5215798a115525fe15803ee5f4393ae77d49e081770761beecb14ea

Comments