MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d8c0ab90bb231e276f5f3cf44de4064a6d78cfb8c9a0eb121f3454b747bb84c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d8c0ab90bb231e276f5f3cf44de4064a6d78cfb8c9a0eb121f3454b747bb84c
SHA3-384 hash: 318b9b88b28c7d7682f4d274a8c45e45b62832a95dac21a3c2e838932454c6f5cea5c4b02593842e90a3758dfb24f70d
SHA1 hash: e507a86c03b19f4fff8d2cb6db23bbf378689362
MD5 hash: 04f764fa2862e93c705e5993692ceced
humanhash: leopard-alabama-pip-coffee
File name:URGENT RFQ 102720.zip
Download: download sample
Signature NanoCore
Create hunting rule
File size:446'130 bytes
First seen:2020-10-27 16:48:03 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:I5ct4hWa6SId71wqPOyIBpVaTgiwHczelXTnkBs5eGyS:I5c+hWrr71wqKpgTgiw1VT3Np
TLSH 369423A10B31AFC36D815E60D34849903FEAC7DCA09AD5DC6063DBBE674ADF06F08499
Reporter abuse_ch
Tags:NanoCore nVpn RAT zip


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: webmail.indarico.it
Sending IP: 81.29.203.198
From: Sales Director <sales@doosan-group.com>
Subject: URGENT #RFQ
Attachment: URGENT RFQ 102720.zip (contains "URGENT #RFQ 102720.exe")

NanoCore RAT C2:
185.140.53.251:1995

Hosted on nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-BE
country: BE
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-10-02T20:59:33Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Heur.1782.15457.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d8c0ab90bb231e276f5f3cf44de4064a6d78cfb8c9a0eb121f3454b747bb84c/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 15:45:48 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fwgavoilwiy6e5xv6phujxsamstnpdh3rsna5mjb6ncuw5d3xbga._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d8c0ab90bb231e276f5f3cf44de4064a6d78cfb8c9a0eb121f3454b747bb84c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 2d8c0ab90bb231e276f5f3cf44de4064a6d78cfb8c9a0eb121f3454b747bb84c

(this sample)

NanoCore

Executable exe cce5d9e4fd5ca9142510f3b21d0a73906171e90a815520985687dde13b6e643d

  
Dropping
MD5 539d718ff89176e3f3277d71b055242d
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 cce5d9e4fd5ca9142510f3b21d0a73906171e90a815520985687dde13b6e643d

Comments