MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1df9981a7596481cecebdb08903d97429d04ba5576117441175a8fe4c7d0b731. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1df9981a7596481cecebdb08903d97429d04ba5576117441175a8fe4c7d0b731
SHA3-384 hash: 0213e2f0b564582652ea5f2eca92362185378f6987295081308eeacefd78ee80ba6b923a7b86d2b8d228303e79d6f600
SHA1 hash: 383381a4790dc1ce53bfb8c64d3edc4223765722
MD5 hash: 4f6dc3d9ad83d6404362cf94a91adb06
humanhash: speaker-paris-ceiling-quiet
File name:PO.iso
Download: download sample
Signature NanoCore
Create hunting rule
File size:434'176 bytes
First seen:2020-06-03 09:02:48 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:NJtaLotHpAhjlcEUd1U+Zxqm/sTlNYIteY8++NRJ:lta5lnteP+Mz
TLSH E594E16132686D13CA7D04F5A452611493FA9456A6E2E3C9BCCE71EB13D3FF10A32B83
Reporter abuse_ch
Tags:iso NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: server.kanal77.com.mk
Sending IP: 195.201.106.101
From: Orascom-Trading Company <notices@orascom-trading.com>
Subject: Purchase Order *EID:OFF-20060114239236381* NIV/S/PO/20/0036-1 - Dated : 03/06/2020
Attachment: PO.iso (contains "PO.exe")

NanoCore RAT C2:
megida123.ddns.net:9900 (91.193.75.15)

Pointing to nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
descr: We ask all employees of Spamhaus and all self-proclaimed deputy sheriffs
descr: to stop your attacks against us.
country: EU
admin-c: KA7109-RIPE
tech-c: KA7109-RIPE
org: ORG-KHd1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: KGB-MNT
mnt-routes: KGB-MNT
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2019-12-05T05:39:00Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 00:50:00 UTC
AV detection:
12 of 31 (38.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dx4zqgtvszebz3hl3mejapmxikoqjosvoyixiqixlkh6jr6qw4yq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso 1df9981a7596481cecebdb08903d97429d04ba5576117441175a8fe4c7d0b731

(this sample)

NanoCore

Executable exe e3f7e46443905093f45dc19c371eecc0fb10d3d8c81941f1f75a274cabdab033

  
Dropping
MD5 9c0d589585eead40ad551cba9168b079
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 e3f7e46443905093f45dc19c371eecc0fb10d3d8c81941f1f75a274cabdab033

Comments