MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4af550932dd1985fffb6ac7902d54d610aba19265cacd6ed26785aa292e4f01a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4af550932dd1985fffb6ac7902d54d610aba19265cacd6ed26785aa292e4f01a
SHA3-384 hash: 7e42c3a6481deaf3db6f52fb245ee616012f9319bd7e1a9ddcd17f075fa4042a9ebd7971aacce665c063822f094d99da
SHA1 hash: 48d328e190fefa522fdb6eb1b04ac84af037bd7a
MD5 hash: d3c15d3d04162814e8689487cfd29933
humanhash: five-island-fillet-edward
File name:Folha de dados de cotação para nossa empresa doc.arj
Download: download sample
Signature NanoCore
Create hunting rule
File size:558'250 bytes
First seen:2020-07-09 07:55:09 UTC
Last seen:Never
File type: arj
MIME type:application/x-rar
ssdeep 12288:jaI7mwL2APj9CnTQhh/KTWHWly8ZtkZIr8HWUV6gdEtn4cY:jaI7m4dhCn0DySHWlJtkrHbVfE949
TLSH 93C4234F60258AD658CF8C5E3D25DA9F1C08E45250D7433C6D8CB3A76E01C926DEAABF
Reporter abuse_ch
Tags:arj geo NanoCore nVpn PRT RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: dedicated.fco.pt
Sending IP: 151.236.46.67
From: João Marques <geral@bidakis.com>
Subject: RE: Cotação - Transitex
Attachment: Folha de dados de cotação para nossa empresa doc.arj (contains "Folha de dados de cotação para nossa empresa doc.exe")

NanoCore RAT C2:
24thmatch2020.duckdns.org:5626 (194.5.98.28)

Pointing to nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.98.0 - 194.5.98.255
netname: Privacy_Online
descr: Longyearbyen, Svalbard und Jan Mayen
country: SJ
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-04-26T16:42:54Z
last-modified: 2020-03-13T23:11:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4af550932dd1985fffb6ac7902d54d610aba19265cacd6ed26785aa292e4f01a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-08 17:27:35 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jl2vbezn2gmf775wvr4qfvknmeflugjglswnn3jgpbnkfexe6ana._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj 4af550932dd1985fffb6ac7902d54d610aba19265cacd6ed26785aa292e4f01a

(this sample)

NanoCore

Executable exe 8c71aca391fbd24fb5400cbc0cea7bfc424dfac861cbfebbac25393e8b21bbf4

  
Dropping
MD5 d8a701f0eb40bb760398aa2712b1996b
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 8c71aca391fbd24fb5400cbc0cea7bfc424dfac861cbfebbac25393e8b21bbf4

Comments