MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c6f6041beb87f62289cc92ae1a66023932dde34aad709920a767d72739cc571. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara 7 Comments

SHA256 hash: 2c6f6041beb87f62289cc92ae1a66023932dde34aad709920a767d72739cc571
SHA3-384 hash: 8e71b10e7806954286ac6b7beb91aeb67faabd64bd733948545d8e831a94b8cc486706e67bd832c192d422c58bcc4aab
SHA1 hash: d348e259aa31979be62a7f975eff5104f7b20ffa
MD5 hash: bbd8f222b9fd0f370f28de0e1bd0868b
humanhash: lima-georgia-potato-cola
File name:PO300620.doc
Download: download sample
Signature NanoCore
File size:72'192 bytes
First seen:2020-06-30 19:22:13 UTC
Last seen:2020-06-30 19:52:24 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 1536:HX+Vn5YOONLXdvrqth8Q31Gyl0F6LtRb0R:3+Vn5Y5NLItpsU0F6pRb0R
TLSH AA632A41B383CF4AE46581705CDACBF9723ABC0D4E1AD71732983B2E7DB6764C901A96
Reporter @abuse_ch
Tags:doc NanoCore nVpn RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: semf05.mfg.siteprotect.com
Sending IP: 64.26.60.168
From: Shawn McKay <info@couvretoit.com>
Reply-To: prepre080@vivaldi.net
Subject: RESENDING: Quotation Needed
Attachment: PO300620.doc

NanoCore payload URL:
http://mrgeek.pk/wndll.exe

NanoCore RAT payload URL:
gold1.dnsupdate.info:4777 (79.134.225.84)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 2
# of downloads 34
Origin country US US
ClamAV SecuriteInfo.com.Heuristic.HEUR.Macro.Downloader.MRDO.Gen.9908.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/2c6f6041beb87f62289cc92ae1a66023932dde34aad709920a767d72739cc571/
ReversingLabs :Status:Malicious
Threat name:Document-Word.Trojan.Rdn
First seen:2020-06-30 19:24:05 UTC
AV detection:16 of 48 (33.33%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:nanocore
Link: https://tria.ge/reports/200630-s19hr5s4qn/
Tags:evasion trojan keylogger stealer spyware family:nanocore
Config extraction:gold1.dnsupdate.info:4777
gold080.ooguy.com:4777
VirusTotal:Virustotal results 34.43%

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:SUSP_VBA_FileSystem_Access
Author:Florian Roth
Description:Detects suspicious VBA that writes to disk and is activated on document open
Reference:Internal Research
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Word file doc 2c6f6041beb87f62289cc92ae1a66023932dde34aad709920a767d72739cc571

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments