MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a75547bc0830ba2baaa6c753e4a6ba59be1c2d6a86ba4293a80efc39a345a20e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a75547bc0830ba2baaa6c753e4a6ba59be1c2d6a86ba4293a80efc39a345a20e
SHA3-384 hash: 7595f5660472f8e7b117712acd8a515b9017d292a26830fa9a80817b86af1cbf7cbd654b589d355493aefc8d31178c84
SHA1 hash: b0a69fbb855ddd327f5c762a5f9808de942f0e6b
MD5 hash: 43124bbf3549ddc7a413fe852a484026
humanhash: nuts-echo-arizona-cold
File name:mt103_copy.arj
Download: download sample
Signature NanoCore
Create hunting rule
File size:958'690 bytes
First seen:2020-04-03 11:04:56 UTC
Last seen:Never
File type: arj
MIME type:application/x-rar
ssdeep 24576:hs6a3YqGkiuY14zbOZ+mTKVISQW+sG96JFLPl:hsjGnB14HmHTvSQW+XYJFLPl
TLSH 3E153381F83A191E0295010E72C54AE883D5ECA4FC1C2EE7F57D3D92F2C959BBB9166C
Reporter abuse_ch
Tags:arj COVID-19 NanoCore nVpn RAT


Avatar
abuse_ch
COVID-19 themed malspam distributing NanoCore RAT:

HELO: gomez.com
Sending IP: 94.177.242.67
From: YULING WANG <garrett@biran.com>
Subject: Transfer delay due to pandemic COVID-19
Attachment: mt103_copy.arj (contains "mt103_copy.exe")

NanoCore C2:
91.193.75.137:198

Hosted on nvpn:
% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
descr: We ask all employees of Spamhaus and all self-proclaimed deputy sheriffs
descr: to stop your attacks against us.
country: EU

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-04-03 11:35:40 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
18 of 47 (38.30%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u5kuppaigc5cxkvgy5j6jjv2lg7byllkq25efe5ib36dti2fuiha._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj a75547bc0830ba2baaa6c753e4a6ba59be1c2d6a86ba4293a80efc39a345a20e

(this sample)

NanoCore

Executable exe 99e30892ad3ffaafd44af0a0ee9b8e9f1a61914d686fc9792baade292bbf5361

  
Dropping
MD5 ea73a11b1267fad0eef9211aa4cb055c
  
Dropping
SHA256 99e30892ad3ffaafd44af0a0ee9b8e9f1a61914d686fc9792baade292bbf5361
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment

Comments