MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c309b742bc11978b5b3d3f6040bfe1da52f1988a6d42b5b4df03bd666b5a5a1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 2


Intelligence 2 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c309b742bc11978b5b3d3f6040bfe1da52f1988a6d42b5b4df03bd666b5a5a1f
SHA3-384 hash: 852110ba595c9939b3d22cd6ab9bb77d7a34fc28a5304805a58bf85cd373c93a1279bbe14f9a1cb4dea85b03ee9fea6b
SHA1 hash: 9de8ec7dce708f39da47a7c9a0b97a0f6a679bad
MD5 hash: 6953868816d642cce7a625443193a866
humanhash: missouri-yellow-november-kitten
File name:PAYMENT.IMG
Download: download sample
Signature NanoCore
Create hunting rule
File size:2'031'616 bytes
First seen:2020-05-28 06:07:16 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 24576:Ptb20pkaCqT5TBWgNQ7aulFgm+jR0qLJbgUAtV3Lhw8V166A:MVg5tQ7aul2CYJbQj3LhbS5
TLSH 2295E01273DE8365C3B25273BA25B701BEBF7C2506A1F96B2FD8093CE920161521E673
Reporter abuse_ch
Tags:img NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: zimbra.fcjcorp.com
Sending IP: 54.158.42.8
From: Raymond Hancook <pedro.henrique@medbeta.com.br>
Reply-To: philmoore3123@gmail.com
Subject: PAYMENT
Attachment: PAYMENT.IMG (contains "PAYMENT.exe")

NanoCore RAT C2:
u852121.nvpn.so:3410 (91.192.100.17)

Pointing to nVpn:

% Information related to '91.192.100.1 - 91.192.100.63'

% Abuse contact for '91.192.100.1 - 91.192.100.63' is 'abuse@libertas-international.eu'

inetnum: 91.192.100.1 - 91.192.100.63
netname: LIBERTAS_NETWORK
remarks: ----------------------------------------------
remarks: Libertas Network is a VPN service provider.
remarks: We have a strict non-logging policy, therefore
remarks: we don't record any logs on our servers.
remarks: ----------------------------------------------
country: CH
admin-c: LNAD1-RIPE
org: ORG-LNVS1-RIPE
tech-c: LNAD1-RIPE
status: ASSIGNED PA
mnt-by: MNT-DA327
created: 2019-12-12T08:51:11Z
last-modified: 2020-02-10T07:01:46Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27681.XorExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 06:37:04 UTC
File Type:
Binary (Archive)
Extracted files:
27
AV detection:
21 of 48 (43.75%)
Threat level:
  5/5
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img c309b742bc11978b5b3d3f6040bfe1da52f1988a6d42b5b4df03bd666b5a5a1f

(this sample)

NanoCore

Executable exe 3261040962bfbb80c604e7f2df4351b3b9b6854ea771f9b9b5677c7ff31e985e

  
Dropping
MD5 29cee49ee55b1a3f9393779a26de7f64
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 3261040962bfbb80c604e7f2df4351b3b9b6854ea771f9b9b5677c7ff31e985e

Comments