MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c48e377907cb6551294b7650a1fdf4ac6b9c29beadea771f04d5d9c92ff1bc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c48e377907cb6551294b7650a1fdf4ac6b9c29beadea771f04d5d9c92ff1bc0
SHA3-384 hash: ad4c4f3fff419ef99ee6ce3d006a0c523788d0d2770425076a75ce6e64beafe408cbeb85d62e784854c7866c11dd051c
SHA1 hash: 773099d5dd7b245d7f19f7eacb34f34b774aa003
MD5 hash: c01f93d7fbce8c3fe268bc9392c351a8
humanhash: violet-steak-shade-skylark
File name:Payment Advice Hsbc_PDF.gz
Download: download sample
Signature NanoCore
Create hunting rule
File size:299'898 bytes
First seen:2020-05-13 07:10:10 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 6144:zCYYTOz78NQr63QzpsyWYd/JVk3VqJcUNCa2WTO1YE8KXoHQG:zCP3NQWI2yLzK3VqJcK7DvE+
TLSH D95423C778BE083F509D5456E79D35FA5FA06A3E884C71A9249F6E81A891AC1EF10F0C
Reporter abuse_ch
Tags:gz HSBC NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: j0j40j2k.ni.net.tr
Sending IP: 185.95.86.158
From: HSBC Advising Service <advising.service.14060882.825605.2829991142@securemail-advising.hsbc.com>
Subject: Payment Advice - Advice Ref:[GLV404784928] / ACH credits / Customer Ref:[00330LEN68M00100] / Second Party Ref:[540000822720][GLV422836282] / ACH credits / :[20200417O04] /
Attachment: Payment Advice Hsbc_PDF.gz (contains "Payment Advice Hsbc_PDF.exe")

NanoCore RAT C2:
194.5.98.8:4573

Hosted on nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.98.0 - 194.5.98.255
netname: Privacy_Online
descr: Longyearbyen, Svalbard und Jan Mayen
country: SJ
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-04-26T16:42:54Z
last-modified: 2020-03-13T23:11:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27271.Rar5Heur.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 07:36:46 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
24 of 48 (50.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hreog54qps3fkeuuw5squh67jldltqu35lpko4pqjvozzex7dpaa._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

gz 3c48e377907cb6551294b7650a1fdf4ac6b9c29beadea771f04d5d9c92ff1bc0

(this sample)

NanoCore

Executable exe bc33d0face20153ffe1ebf0c3e9043894633a624d8e4214084c292e353777f46

  
Dropping
MD5 e00de75fd93d0c5fbc3b18a3c5946c96
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 bc33d0face20153ffe1ebf0c3e9043894633a624d8e4214084c292e353777f46

Comments