MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 208c8d3d035c56c2769c5a535d939ec67aa657522324d757ca8b3663d604684e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 208c8d3d035c56c2769c5a535d939ec67aa657522324d757ca8b3663d604684e
SHA3-384 hash: 749fbf8b542c69ce35a382b1db12e866a42a112de5c5231fbf52db9aa18effaa867d54b183562d9b7e5c3e8007825be9
SHA1 hash: fe638b651bcb1658fe05ee8efcc7fb80b698861e
MD5 hash: c8894606fae22da5dc89bc46abfa47de
humanhash: sweet-lake-hot-timing
File name:parcels.pdf.z
Download: download sample
Signature NanoCore
Create hunting rule
File size:225'238 bytes
First seen:2020-07-29 14:27:42 UTC
Last seen:Never
File type: z
MIME type:application/x-rar
ssdeep 3072:BdjZv4OjJ//z+jPKL9TYrVduuDaNw4rPBq5U3qpJLSwccbDg3Nrx+yyPlhMlxZbk:PVvDzRTiVdTYwMPaJlDioyklhIiRT
TLSH 3324225DDEAB0CB9031072B0117B477A37FBA15D6CFC34299A8983BC14A24A1D9DA7C7
Reporter abuse_ch
Tags:DHL NanoCore nVpn RAT z


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: saimx.cartrack.com
Sending IP: 196.30.182.42
From: DHL International GmbH <ruth.tan@cartrack.com>
Subject: DHL EXPRESS PO#R2020416***** ARRIVAL NOTICE!
Attachment: parcels.pdf.z (contains "parcels.exe")

NanoCore RAT C2:
salespaul.hopto.org:9036 (185.165.153.26)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU2
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-28T20:37:37Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/208c8d3d035c56c2769c5a535d939ec67aa657522324d757ca8b3663d604684e/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 14:29:05 UTC
AV detection:
20 of 48 (41.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ecgi2pidlrlme5u4ljjv3e46yz5kmv2semsnov6krm3ghvqenbha._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/208c8d3d035c56c2769c5a535d939ec67aa657522324d757ca8b3663d604684e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z 208c8d3d035c56c2769c5a535d939ec67aa657522324d757ca8b3663d604684e

(this sample)

NanoCore

Executable exe 7926f37cb45c730b9fa347b9e605d1b8e6a055b97f335bf8f1ea99e953fc94da

  
Dropping
MD5 3bf4aee6d19b399a547595664aafe05b
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 7926f37cb45c730b9fa347b9e605d1b8e6a055b97f335bf8f1ea99e953fc94da

Comments