MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac1b0eabfe9a1c20add6982b39f765e415624bb44304032d541c949b283c8940. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac1b0eabfe9a1c20add6982b39f765e415624bb44304032d541c949b283c8940
SHA3-384 hash: eb9406dba541b9e30c9f8b66f2bc2055c3228b389e9228b3ab87c32f287e29a5825902a06a095b2a0f877d181e6ebb44
SHA1 hash: 86ae3a29038ec4eea6489d3d090692e401f06b18
MD5 hash: e0bf74cc915894ddb16aa15ca49b7a07
humanhash: florida-may-triple-nevada
File name:Quotation List 3.gz
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'316'719 bytes
First seen:2020-05-20 07:08:52 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 24576:yqJ9HTJULgn8fSAOu0oc41PnmtcEVaFWaUsBh2wh1RnVjHC5nSIykjh:yqTHdULg8fBOu0oT5qaiW5xVbuSIy0
TLSH ED5533F2CAC82BDC7E336BDB62464867309E0A513BBD521F89EC5837E8CE3590B09555
Reporter abuse_ch
Tags:gz NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: crislu.pw
Sending IP: 173.82.219.115
From: adimin <iinfo@crislu.pw>
Reply-To: purchase.depertment@my.com
Subject: Product List/Request For Quotation-05/20/2020
Attachment: Quotation List 3.gz (contains "Quotation List (3).exe")

NanoCore RAT C2:
91.193.75.46:1985

Hosted on nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
descr: We ask all employees of Spamhaus and all self-proclaimed deputy sheriffs
descr: to stop your attacks against us.
country: EU
admin-c: KA7109-RIPE
tech-c: KA7109-RIPE
org: ORG-KHd1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: KGB-MNT
mnt-routes: KGB-MNT
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2019-12-05T05:39:00Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 07:36:45 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
18 of 48 (37.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqnq5k76tiocblowtavtt53f4qkwes5uimcaglkudskjwkb4rfaa._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

gz ac1b0eabfe9a1c20add6982b39f765e415624bb44304032d541c949b283c8940

(this sample)

NanoCore

Executable exe c919ec54980c11d415579d990d00df36d3a7e12641d15f24e0d5cdaf76d0123a

  
Dropping
MD5 4704e5e881daad9fe33626b91f9a6a60
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 c919ec54980c11d415579d990d00df36d3a7e12641d15f24e0d5cdaf76d0123a

Comments