MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b7821a2e0c24aeb38ae3a90b5c85c410fdc2e08c43e4964b1cca670d5543897. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b7821a2e0c24aeb38ae3a90b5c85c410fdc2e08c43e4964b1cca670d5543897
SHA3-384 hash: 891389feea5c9f32a31d88f608f601210d8a5e9a495784419b6336d1874c4e9436a536d2a145d39516d9a3d45288d582
SHA1 hash: e22fd76642733b209a380f0a9dbe8920bc560c58
MD5 hash: fed0c95a5a525ffa57a495d9ee631f66
humanhash: india-helium-carpet-maryland
File name:Coronavirus.xlsm
Download: download sample
Signature NanoCore
Create hunting rule
File size:420'565 bytes
First seen:2020-04-18 06:10:08 UTC
Last seen:2020-04-18 06:38:54 UTC
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 12288:J49w8fyunGthwu8kxPthZugvq4jzjSGUudKsj:J49b7AhFxPthZnvL3tdKS
TLSH A094233BD298AE9FC6F3EA7D8D458AE7231653DD339478BA78188884071F12EC171D51
Reporter cocaman
Tags:COVID-19 NanoCore xlsm


Avatar
cocaman
Malicious email
From: "CDC Team" <covid19@b-tu.de>
Date: Fri, 17 Apr 2020 13:58:36 -0700
Subject: Coronavirus update (COVID-19) USER@EMAIL.org your neighbors tested
positive!

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Xls.Dropper.Agent-7672717-0
Create hunting rule

Doc.Dropper.Agent-7673945-0
Create hunting rule

Gathering data
Threat name:
Document-Word.Trojan.Rdn
Create hunting rule
Status:
Malicious
First seen:
2020-04-18 18:17:00 UTC
File Type:
Document
Extracted files:
26
AV detection:
16 of 31 (51.61%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dn4cdixayjfowofohkillsc4ieh5ylqiyq7eszfrzsthbvkuhclq._file
Verdict:
unknown
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:win_alina_pos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_gootkit_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Excel file xlsm 1b7821a2e0c24aeb38ae3a90b5c85c410fdc2e08c43e4964b1cca670d5543897

(this sample)

NanoCore

Executable exe 479dfa7690895205a1215d3edae68443671a448b6c09dc114d617c32f1a3d259

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 479dfa7690895205a1215d3edae68443671a448b6c09dc114d617c32f1a3d259

Comments