MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c98677209760b545859b433ae758c10e57be9c035404205210f9defeff4d382f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c98677209760b545859b433ae758c10e57be9c035404205210f9defeff4d382f
SHA3-384 hash: a9b1a25136cfa41393fe59fd864e30d13913fdae49b26512c2a84511060d0eec2214e695e2bb52c8cf33e9bc94476d01
SHA1 hash: 043d2da769b5d01ca55bd26a0ca936911912ffc3
MD5 hash: 959e98e837ff5289bc8a440507446807
humanhash: carbon-blossom-glucose-juliet
File name:PO7442,pdf.iso
Download: download sample
Signature NanoCore
Create hunting rule
File size:493'568 bytes
First seen:2020-06-10 09:56:47 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:BRYbh5D/fmCiQJwRvtuI0razwaSkHg+CiH:0V5D/DLwRvDqaC
TLSH 58A49E897650B2DFC82BCD7689A81C24AB6174675327D247B44B12ED9B0EBD7CF002E3
Reporter abuse_ch
Tags:CHN geo iso NanoCore RAT.nVpn


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: s6.paukhost.com
Sending IP: 88.99.110.27
From: Chen Joseph <sales@hygroup.com.tw>
Subject: 采购订单#7442
Attachment: PO7442,pdf.iso (contains "PO#7442,pdf.exe")

NanoCore RAT C2:
billionaire.ddns.net:3734 (79.134.225.122)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE


Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 08:03:10 UTC
AV detection:
12 of 27 (44.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zgdhoiexmc2ulbm3im5oowgbbzl35hadkqccauqq7hpp572nhaxq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso c98677209760b545859b433ae758c10e57be9c035404205210f9defeff4d382f

(this sample)

NanoCore

Executable exe 98cfc2f76ee8cefd9aa0b9be4c317800223f93ffb6e63577e8a9466693585515

  
Dropping
MD5 b940381f5bd10911f82f9b09917ae6de
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 98cfc2f76ee8cefd9aa0b9be4c317800223f93ffb6e63577e8a9466693585515

Comments