MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d8e4c118f56f19506d5654931f4c3efe10919d1b9fe4d6b94ed07ae3571f880. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d8e4c118f56f19506d5654931f4c3efe10919d1b9fe4d6b94ed07ae3571f880
SHA3-384 hash: bdbd52b554a3306dd3be829aaa2e37f747f92fb8a14d39c1991fa98db9ce094f85f8871761018a29eaee84ebec1a4e17
SHA1 hash: b6057f07be587c2695e0cd0d4cceee854ec7c4e7
MD5 hash: 595ee6a9b887dbf2bdbc49fe34ab877b
humanhash: india-black-failed-vermont
File name:RFQ0615.arj
Download: download sample
Signature NanoCore
Create hunting rule
File size:315'832 bytes
First seen:2020-06-15 12:42:20 UTC
Last seen:Never
File type: arj
MIME type:application/x-rar
ssdeep 6144:Sj7Yv0+KBxSuo+GN55dYLsZiFEgbEuXh/YXeXgJKPxR8+wNC0KGK4jkVhmBmU:uYvJKBxSuo+Grq3Eg9QCgeu+wNhKVthG
TLSH 31642334B0987AF0EDD88726FC116C196862E24CDCA0296518B7FE7F1BF1139B87528D
Reporter abuse_ch
Tags:arj NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: serve0.yangtwang.pw
Sending IP: 142.11.195.30
From: Rohit Nikam < hr@yangtwang.pw>
Reply-To: sjrkintluea@gmail.com
Subject: RFQ Division Project (REFU, GmbH).
Attachment: RFQ0615.arj (contains "RFQ0615.exe")

NanoCore RAT C2:
185.165.153.26:1985

Hosted on nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 12:44:05 UTC
AV detection:
21 of 48 (43.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bwheyempk3yzkbwvmvetd5gd57qqsgorxh7e224u5ud24nlr7caa._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj 0d8e4c118f56f19506d5654931f4c3efe10919d1b9fe4d6b94ed07ae3571f880

(this sample)

NanoCore

Executable exe 0b227a11aa15b176c7d63d4aacbfcf8cd70bfa8f457d4d762053c559cd31435a

  
Dropping
MD5 921cd5f4ec6437efb66336eb2979ab5f
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0b227a11aa15b176c7d63d4aacbfcf8cd70bfa8f457d4d762053c559cd31435a

Comments