MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9c3f2ff12d358da32d06de5d330ee0be2f83e6eb0dedcec0694af9569ffaf93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9c3f2ff12d358da32d06de5d330ee0be2f83e6eb0dedcec0694af9569ffaf93
SHA3-384 hash: 15ac111444bf3088555a1a82bcad58d87a075cd6d0998932ce4f2938774ee2d76ba216a5cf5738ef3e12ee041ab66e4e
SHA1 hash: 2797efebdc2b799d7edc7719cf11c9648ea9409d
MD5 hash: 0ba6a4c8c006ac85054f6be0e809ca7e
humanhash: glucose-juliet-berlin-alanine
File name:CV-FAC327.uue
Download: download sample
Signature NanoCore
Create hunting rule
File size:522'701 bytes
First seen:2020-05-04 22:24:20 UTC
Last seen:Never
File type: uue
MIME type:application/x-rar
ssdeep 12288:yfvLecXMGNCIyxoW8oIE7LY1L/KpZXdWqk8cWkqHOa/6U58Z:l4pCgW8o13Y1L/KJWp8cWvz6s8Z
TLSH E1B4239754128140CD4F16A1321A2FB603F3C99AA4FF6C373E0E1CA175A9A5D75A0BEE
Reporter abuse_ch
Tags:NanoCore nVpn RAT uue


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: mailout11.t-online.de
Sending IP: 194.25.134.85
From: CV TRADING S.A. <dr.ellwein@t-online.de>
Reply-To: CV TRADING S.A. <dr.ellwein@t-online.de>
Subject: RE: ORDEN DE COMPRA NÂȘ 327
Attachment: CV-FAC327.uue (contains "CV-FAC327.exe")

NanoCore RAT C2:
185.140.53.158:1414

Hosted on nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@FOS-VPN.org'

inetnum: 185.140.53.0 - 185.140.53.255
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: 185.140.53.0/24 belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
country: EU
org: ORG-SL751-RIPE
admin-c: SL12644-RIPE
tech-c: SL12644-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-04-06T18:59:49Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 04:03:13 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
22 of 30 (73.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3hb7f7ys2nmnumwqnxs5gmhobprpqptowdpnz3agssxzk2p7v6jq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

uue d9c3f2ff12d358da32d06de5d330ee0be2f83e6eb0dedcec0694af9569ffaf93

(this sample)

NanoCore

Executable exe 34d43ee6beda0ce62dbd56a058f9c2dab88e7068ef08488b1aed4202251b0f50

  
Dropping
MD5 feb84b47f016aa548d5535b31468877d
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 34d43ee6beda0ce62dbd56a058f9c2dab88e7068ef08488b1aed4202251b0f50

Comments