MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed6dcb67fbca80d8bcd1fa752b60cbf13023e2f9a86378115e273fe8cc3c029d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed6dcb67fbca80d8bcd1fa752b60cbf13023e2f9a86378115e273fe8cc3c029d
SHA3-384 hash: 668e09d98dfc443feb9f6285295e7d9bf618ca40c5cdc94e6dbbc36a0f890428073137fb8afaad54aab8b4625df577ff
SHA1 hash: 91f93d6b7c2e98067fb70ca981f4911feeff3a8e
MD5 hash: 265d9212b44134e7888d09efe7485339
humanhash: finch-moon-oxygen-september
File name:BYCZHPNTJponJNg.iso
Download: download sample
Signature NanoCore
Create hunting rule
File size:466'944 bytes
First seen:2020-06-29 06:49:27 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:4IuUkBU0WKvpMARGpqDo9P99pMisXMzpdKi:nKvfcqDedsX+j
TLSH 0BA4CF2173B58706E5BE0BF904A0115403B67562A933E3AD9ECE74DA1FB37814E1BB1B
Reporter abuse_ch
Tags:iso NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: p3plwbeout11-02.prod.phx3.secureserver.net
Sending IP: 173.201.192.36
From: <bryan@thebaseballwarehouse.com>
Subject: NEFT Completed
Attachment: BYCZHPNTJponJNg.iso (contains "BYCZHPNTJponJNg.exe")

NanoCore RAT C2:
u870797.nvpn.to:3119 (185.244.29.158)

Pointing to nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.ENGK.190.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed6dcb67fbca80d8bcd1fa752b60cbf13023e2f9a86378115e273fe8cc3c029d/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 06:51:03 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5vw4wz73zkanrpgr7j2swygl6eychyxzvbrxqek6e476rtb4akoq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso ed6dcb67fbca80d8bcd1fa752b60cbf13023e2f9a86378115e273fe8cc3c029d

(this sample)

NanoCore

Executable exe d86b5f7fffdf4b871b5487b02de0366b3edbd96a75f86a0f57a602796a8136da

  
Dropping
MD5 e5aa2cddaf62776e27d3c9750c729335
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 d86b5f7fffdf4b871b5487b02de0366b3edbd96a75f86a0f57a602796a8136da

Comments