MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 630c8ea90459dcf5639a2b7ddb5a51da0de30996471a3a310071506f55fb6a7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara Comments

SHA256 hash: 630c8ea90459dcf5639a2b7ddb5a51da0de30996471a3a310071506f55fb6a7f
SHA3-384 hash: afe9f1fedc7ff687a365098ed1350a6f350d46cc9112f94121c80a74003e9de69578c67ad992fe1ab65909d63c590bde
SHA1 hash: 7217859117779bcf18ab8057610e7f0585e691dc
MD5 hash: 4c5df0a49c0c554d9cd7aaa4fa979b44
humanhash: eighteen-orange-coffee-william
File name:35178035_Invoice_C0nfirmation.iso
Download: download sample
Signature n/a
File size:612'352 bytes
First seen:2020-06-30 05:20:39 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 6144:xa+lKsYfRjy2kD7HK75wSHRGdO90q/Dua+21ajhdRJ3Ma/uwVRwJ7kTU:4oBD7HK75JxV90Ir+XRJ8aWRkTU
TLSH 41D4CF5A23E88D69C23FA775B52022158372F197D16BE70E28CDD1E11F63781AB423DB
Reporter @abuse_ch
Tags:iso NanoCore nVpn RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: alt12.smtp-out.videotron.ca
Sending IP: 135.19.0.26
From: Paul Abad <gplhs@gplhs.org>
Subject: Payment Confirmation.
Attachment: 35178035_Invoice_C0nfirmation.iso (contains "35178035_Invoice_C0nfirmation.exe")

NanoCore RAT C2:
netwomo.duckdns.org:7654 (185.140.53.174)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@FOS-VPN.org'

inetnum: 185.140.53.0 - 185.140.53.255
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: 185.140.53.0/24 belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
country: EU
org: ORG-SL751-RIPE
admin-c: SL12644-RIPE
tech-c: SL12644-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-04-06T18:59:49Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 31
Origin country US US
ClamAV SecuriteInfo.com.MSIL.GenKryptik.ENIA.21761.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/630c8ea90459dcf5639a2b7ddb5a51da0de30996471a3a310071506f55fb6a7f/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Genkryptik
First seen:2020-06-30 05:22:06 UTC
AV detection:15 of 31 (48.39%)
Threat level:   5/5
Spamhaus Hash Blocklist :Suspicious file
VirusTotal:Virustotal results 21.67%

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso 630c8ea90459dcf5639a2b7ddb5a51da0de30996471a3a310071506f55fb6a7f

(this sample)

  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment

Comments