MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75830575168e1d024a8d0c86764cb9b88eea3c79f0c4a24fb39d4e94fd2c42d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Intelligence 2 File information 4 Yara 5 Comments

SHA256 hash: 75830575168e1d024a8d0c86764cb9b88eea3c79f0c4a24fb39d4e94fd2c42d7
SHA3-384 hash: ecd0929dd8dd287f11e9d5c0f5e06e1aa9a0a614176555c3c13ad2e804b3ddfa44abf645e0d0866d4989ae73337b39de
SHA1 hash: f799bb755f425e4a48df088ed943820f3138687c
MD5 hash: d887b8782af6bff600b431c49fc6bd3e
humanhash: alabama-lamp-wisconsin-pizza
File name:35178035_Invoice_C0nfirmation.exe
Download: download sample
Signature NanoCore
File size:549'376 bytes
First seen:2020-06-30 05:20:42 UTC
Last seen:2020-06-30 05:48:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:ja+lKsYfRjy2kD7HK75wSHRGdO90q/Dua+21ajhdRJ3Ma/uwVRwJ7kTU:SoBD7HK75JxV90Ir+XRJ8aWRkTU
TLSH BEC4CF5A33F88D69C23FA779B520221583B2F197D15BE70E48C5E1E11D63781AB423DB
Reporter @abuse_ch
Tags:exe NanoCore nVpn RAT

Malspam distributing NanoCore:

Sending IP:
From: Paul Abad <>
Subject: Payment Confirmation.
Attachment: 35178035_Invoice_C0nfirmation.iso (contains "35178035_Invoice_C0nfirmation.exe")

NanoCore RAT C2: (

Pointing to nVpn:

% Information related to ' -'

% Abuse contact for ' -' is ''

inetnum: -
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
country: EU
org: ORG-SL751-RIPE
admin-c: SL12644-RIPE
tech-c: SL12644-RIPE
mnt-by: FOS-VPN-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-04-06T18:59:49Z
source: RIPE


Mail intelligence
Trap location Impact
Global Low
# of uploads 2
# of downloads 32
Origin country US US
CAPE Sandbox Detection:NanoCore
CERT.PL MWDB Detection:nanocore
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Genkryptik
First seen:2020-06-30 05:22:06 UTC
AV detection:22 of 30 (73.33%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:nanocore
Tags:evasion trojan keylogger stealer spyware family:nanocore
VirusTotal:Virustotal results 31.94%

Yara Signatures

Rule name:ach_NanoCore
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Rule name:win_nanocore_w0
Author: Kevin Breen <>

File information

The table below shows additional information about this malware sample such as delivery method and external references.



Executable exe 75830575168e1d024a8d0c86764cb9b88eea3c79f0c4a24fb39d4e94fd2c42d7

(this sample)

Delivery method
Distributed via e-mail attachment