MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40708272ee69090ae3dfc3ec4f86c5f7239899126cdbea2772db28c9b21e218a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40708272ee69090ae3dfc3ec4f86c5f7239899126cdbea2772db28c9b21e218a
SHA3-384 hash: aff2a45892f4f37ab8fdaad26bed82fd32b2f3bbe8e22846959880a44dd0d86704c17cee0b4f761254e20c4f2da2dae9
SHA1 hash: 9673ccb99393cce844d052038eab1272d00cde64
MD5 hash: fc0c6e6e32c470e2a61aea9f29bbb12e
humanhash: fillet-uranus-florida-freddie
File name:Payment Advice Hsbc_Pdf.gz
Download: download sample
Signature NanoCore
Create hunting rule
File size:300'895 bytes
First seen:2020-05-11 08:39:31 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 6144:TQ7COVis6AJTlruCAf6mWzLQiShYJuBWcK39fZbgcoDE988Grw2gsrDacnTl1d:TyVljJxruPf6tPQjYLcKTog97Grasr2k
TLSH 0E54232601CBC38525BED13E1F3BBA335AE3D39A4747E25AFB9901C5A832143172695F
Reporter abuse_ch
Tags:gz HSBC NanoCore RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: j0j40j2k.ni.net.tr
Sending IP: 185.95.86.158
From: HSBC Advising Service <advising.service.14060882.825605.2829991142@securemail-advising.hsbc.com>
Subject: Payment Advice - Advice Ref:[GLV422836282] / ACH credits / Customer Ref:[20200417O04] / Second Party Ref:[] 付款通知書 - 通知書參考編號 Ref:[GLV422836282] / ACH credits / 客戶參考編號:[20200417O04] / 第二方參考編號:[]
Attachment: Payment Advice Hsbc_Pdf.gz (contains "Payment Advice Hsbc_Pdf.exe")

NanoCore RAT C2:
194.5.98.8:4573

Hosted at nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.98.0 - 194.5.98.255
netname: Privacy_Online
descr: Longyearbyen, Svalbard und Jan Mayen
country: SJ
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-04-26T16:42:54Z
last-modified: 2020-03-13T23:11:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 06:00:30 UTC
File Type:
Binary (Archive)
Extracted files:
7
AV detection:
11 of 48 (22.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ibyie4xoneeqvy67ypwe7bwf64rzrgisntn6uj3s3mumtmq6egfa._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

gz 40708272ee69090ae3dfc3ec4f86c5f7239899126cdbea2772db28c9b21e218a

(this sample)

NanoCore

Executable exe 474d3f5a1f7bb94a6573ea758326f0219ea37f880dd7fd273080d4060be8f54c

  
Dropping
MD5 ea3f0ab4ba0a88c5a97c2d9d00a6096e
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 474d3f5a1f7bb94a6573ea758326f0219ea37f880dd7fd273080d4060be8f54c

Comments