MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da201ffc0d2161af67b002baae479ebd1611711dc776bb22cdf5d158492a725c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da201ffc0d2161af67b002baae479ebd1611711dc776bb22cdf5d158492a725c
SHA3-384 hash: 6d04415680c065a0d0ba73abda3be177d895be0da6d18325bfcf465572fa19928be73467ff36cd07d777283caebbade8
SHA1 hash: fd5b5daefb8aba44ef3e1e956648d6b8c169b95f
MD5 hash: 176d4937c923da9c203272c8c63f31c4
humanhash: xray-orange-fifteen-yankee
File name:COVID-19 VACCINE.arj
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'189'703 bytes
First seen:2020-03-31 11:46:23 UTC
Last seen:Never
File type: arj
MIME type:application/x-rar
ssdeep 24576:5CcoJRcEGSFMZx+oZHjA5NzV7hoHTjI0lcB7LuCveAPRRMni9:5doJRclSFMLrHEzV7SzjeP3PzMnS
TLSH 2D4523DAB757669D1B038CB10B34344A53BC0AB455FAC6B46FEE4E005F0E8E198B636D
Reporter abuse_ch
Tags:arj COVID-19 NanoCore RAT


Avatar
abuse_ch
COVID-19 themed malspam campaign distributing NanoCore RAT:

HELO: momo.com
Sending IP: 89.36.214.239
From: Dr Luis Jorge Perez (WHO) <mcclure@cedarpoint.com>
Subject: Corona-Virus Disease (COVID-19) Pandemic Vaccine Released
Attachment: COVID-19 VACCINE.arj (contains "COVID-19 VACCINE.exe")

NanoCore RAT C2:
91.193.75.137:1985

Hosted on nvpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
descr: We ask all employees of Spamhaus and all self-proclaimed deputy sheriffs
descr: to stop your attacks against us.
country: EU

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Script-AutoIt.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-03-31 12:35:57 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
15 of 47 (31.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3iqb77anefq26z5qak5k4r46xulbc4i5y53lwiwn6xivqsjkojoa._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj da201ffc0d2161af67b002baae479ebd1611711dc776bb22cdf5d158492a725c

(this sample)

NanoCore

Executable exe 64f61dd41ec3a411e647f6371b8500666db3c96cc57a8cb0c16d47cceaf12aa9

  
Dropping
MD5 1dd2a20c6bf6ec3293a65c07c40877ec
  
Dropping
SHA256 64f61dd41ec3a411e647f6371b8500666db3c96cc57a8cb0c16d47cceaf12aa9
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 64f61dd41ec3a411e647f6371b8500666db3c96cc57a8cb0c16d47cceaf12aa9

Comments