MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c76e585c052ba24e2d8d9e4213b1ead50366e6f828a8d66d9cb6b00b96c14c37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c76e585c052ba24e2d8d9e4213b1ead50366e6f828a8d66d9cb6b00b96c14c37
SHA3-384 hash: 1756499f781076fae6714a9bff00f8eeabde9575e1e90b40f11e8ec869b5dc0af4e4607d328dc2780dac30029e659563
SHA1 hash: 59b6baf141510d8816aa864bad19cb3b697978c0
MD5 hash: 697b8cbb348cf618e57079059613ac60
humanhash: kansas-triple-equal-rugby
File name:Order_9330.zip
Download: download sample
Signature NanoCore
Create hunting rule
File size:309'554 bytes
First seen:2020-04-29 18:18:43 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:sI8N3SiRaGiM88rwPgZtyBps4H5iJSaO68N8j2jPmH/W0j+zy:43Si0GiM7woTyAJ7qmH/+zy
TLSH 4A642390D40972307634473B5415C96C257EF38EB4D1662D51FB3BAEF88AEC82AD29CB
Reporter abuse_ch
Tags:NanoCore nVpn RAT zip


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: alkuhaimi.com
Sending IP: 209.58.149.66
From: S Kumar. R <rud-division@alkuhaimi.com>
Subject: Order
Attachment: Order_9330.zip (contains "Order_9330.exe")

NanoCore RAT C2:
dealbaba.ddns.net:4040 (79.134.225.73)

Hosted on nvpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33742726.30736.8973.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.22887.ZipHeur.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-29 19:54:00 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y5xfqxaffore4lmntzbbhmpk2ubwnzxyfcunm3m4w2yaxfwbjq3q._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip c76e585c052ba24e2d8d9e4213b1ead50366e6f828a8d66d9cb6b00b96c14c37

(this sample)

NanoCore

Executable exe 2b70fdc39cc7849e555d2b7cdd0984ecd259bbfb1a8985d975f44c402360d5ce

  
Dropping
MD5 8cc39a8f7bc20068baba2280d4fab6c3
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2b70fdc39cc7849e555d2b7cdd0984ecd259bbfb1a8985d975f44c402360d5ce

Comments