MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf7bb55f86881421308773412d13009c2d8d4de0b993edb962593c3a32896590. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf7bb55f86881421308773412d13009c2d8d4de0b993edb962593c3a32896590
SHA3-384 hash: 2b4b851f10240b623f4bd39d785162f500a168cd53b18e8d45c89c22906617eb8784c4a83b3f2b7a9899a2beed2a50fe
SHA1 hash: ccd615ed546ecb76fa35f2efc91c101e1ea15202
MD5 hash: c6ccf7caa7337c3aea4e5a79bbd391c4
humanhash: beryllium-coffee-kitten-kitten
File name:APROVAÇÃO DE PAGAMENTO.r11
Download: download sample
Signature NanoCore
Create hunting rule
File size:298'039 bytes
First seen:2020-06-12 08:17:29 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 6144:BBqH2horZBSpd/nrDWxn5bJaVvRFc1vneeiwcShEWD0:eH2yrZBSpRnrIniJWvnUvSxD0
TLSH AA5423634FC9806B9A710CBA160F96CAFAD0D5D06476CA7CE6046B77DDC93CC2D76282
Reporter abuse_ch
Tags:NanoCore nVpn r11 RAT SCB


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: konzolvilag.hu
Sending IP: 37.221.209.134
From: Standard Chartered Bank Angola <info@asmaraco.com>
Subject: Re: Pagamento Standard Chartered Bank Angola
Attachment: APROVAÇÃO DE PAGAMENTO.r11 (contains "APROVAÇÃO DE PAGAMENTO.exe")

NanoCore RAT C2:
kcbill.ooguy.com:6331 (185.165.153.6)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-12 08:19:04 UTC
AV detection:
18 of 31 (58.06%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x553kx4grakccmehonas2eyatqwy2tpaxgj63olcle6dumujmwia._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar bf7bb55f86881421308773412d13009c2d8d4de0b993edb962593c3a32896590

(this sample)

NanoCore

Executable exe 604db0a6d0b7f69c38138a21fb7869ef2e7279cf86e8f33677eb4be24483f24b

  
Dropping
MD5 d9ba6355021f79911f6075b26546aa8e
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 604db0a6d0b7f69c38138a21fb7869ef2e7279cf86e8f33677eb4be24483f24b

Comments