MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9784a300440627a54e6d87fe6e93f48a69c741278ba312d6a94570307135ba4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9784a300440627a54e6d87fe6e93f48a69c741278ba312d6a94570307135ba4c
SHA3-384 hash: f5f77af5d9098de9581966e60c778bd0d4976db811f56641b4d1af15b48eb2a07adbbd73415871e84c1088397e94eea6
SHA1 hash: 4f3ee3031223f91a41e225b348d1a83671cff21f
MD5 hash: 368b704d8588a68f5bffa525500f3515
humanhash: kentucky-tango-ceiling-california
File name:PO_34552-JUNE.zip
Download: download sample
Signature NanoCore
Create hunting rule
File size:289'804 bytes
First seen:2020-06-26 06:41:59 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:tHRawDCkz4tO04dzi16qxIcLPGc24sZrMi/fVNbFd8u+4Oh:dCuA+Q6qOcLPYrFNbFd8uEh
TLSH 9D5422D0A2396401DB8300DACF4951DA7CBAFEF84B376777107A9729743E1DD252A892
Reporter abuse_ch
Tags:NanoCore nVpn RAT zip


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: cloud.spring.net.in
Sending IP: 103.127.29.248
From: Maria Sohail <acct1@vinflair.com>
Subject: Re: Outstaning Statement
Attachment: PO_34552-JUNE.zip (contains "STMPO3683HK.exe")

NanoCore RAT C2:
darlingtondc.hopto.org:1905 (185.165.153.17)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic.mg.f75bcb16ae21df7e.11718.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9784a300440627a54e6d87fe6e93f48a69c741278ba312d6a94570307135ba4c/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-26 06:42:07 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6ckgaceayt2kttnq77g5e7urju4oqjhrorrfvvjivyda4jvxjga._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 9784a300440627a54e6d87fe6e93f48a69c741278ba312d6a94570307135ba4c

(this sample)

NanoCore

Executable exe cd041f14ff9c62fb4e6c474dbfb2dc8905b1680c8d58063d7e24381cef97a779

  
Dropping
MD5 bc819cddc10cd48bb77a200b3bb65605
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 cd041f14ff9c62fb4e6c474dbfb2dc8905b1680c8d58063d7e24381cef97a779

Comments