MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 25d7af8d23bc096e2a290e4a5b71e084bdd3ced11b22ad8feac54ac6bf5e38a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
NanoCore
Vendor detections: 3
| SHA256 hash: | 25d7af8d23bc096e2a290e4a5b71e084bdd3ced11b22ad8feac54ac6bf5e38a7 |
|---|---|
| SHA3-384 hash: | 03a19c60bfc4584044db7b2c63010c54e097946081ed5db565893fc94e3f5e36588d2c9f9ef49ad587eb87b3048a9578 |
| SHA1 hash: | 98ecec4db29a88914d15f8abcb921e9eca4c6c68 |
| MD5 hash: | 29e0af3bbafc0cf04eddaa1b6b2fe72e |
| humanhash: | cola-arkansas-jig-texas |
| File name: | United Parcel Service Versandbenachrichtigung.r11 |
| Download: | download sample |
| Signature | NanoCore |
| File size: | 380'495 bytes |
| First seen: | 2020-08-05 08:39:28 UTC |
| Last seen: | Never |
| File type: | rar |
| MIME type: | application/x-rar |
| ssdeep | 6144:NxEWK9f+HMdpDkHd4rgJ2xmYr4Id5cYnAHm2ddfZgEHOUuVKyiNL5/BXE4OT7kCg:wWA+sDDkAgJ2mDVYnAGCgET+KN5ZXE41 |
| TLSH | D2842348616BDA06DEAED53A0FA89D69CCCC5E2937BC7153242E50F907ECA60C7C7634 |
| Reporter |  abuse_ch |
| Tags: | DEU geo Hostwinds NanoCore nVpn r11 RAT UPS |
abuse_ch
Malspam distributing NanoCore:HELO: hwsrv-753851.hostwindsdns.com
Sending IP: 104.168.198.242
From: UNITED PARCEL SERVICE DRUCKEMPFANG <info@grodab-chemie-de.com>
Subject: Re: United Parcel Service Versandbenachrichtigung
Attachment: United Parcel Service Versandbenachrichtigung.r11 (contains "United Parcel Service Versandbenachrichtigung.exe")
NanoCore RAT C2:
fortyu.duckdns.org:1369 (185.165.153.19)
Pointing to nVpn:
% Information related to '185.165.153.0 - 185.165.153.255'
% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'
inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU2
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-28T20:37:37Z
source: RIPE
Intelligence
File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Threat name:
ByteCode-MSIL.Trojan.FormBook
Status:
Malicious
First seen:
2020-08-05 02:25:03 UTC
AV detection:
23 of 48 (47.92%)
Threat level:
5/5
Detection(s):
Malicious file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe Dropping
NanoCore
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.