MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3398a1743d2bd1a4e2cafa6c0f45e016028e513aa6166928922beb667b594e9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3398a1743d2bd1a4e2cafa6c0f45e016028e513aa6166928922beb667b594e9f
SHA3-384 hash: 8de9fb4c4843f8b0d25c911a5048aab695c092a262e0e5511dbec956f1bb5d5139eea5a78522e8982c580c191a58679f
SHA1 hash: 0b34246751d669e11496eca383358ddf46b2c121
MD5 hash: d1874c4b29c4e9ec7ba0d0d6cf11583a
humanhash: butter-alanine-black-sink
File name:Quotations.PDF__________________________________________________.r13
Download: download sample
Signature NanoCore
Create hunting rule
File size:11'950 bytes
First seen:2021-03-03 06:17:42 UTC
Last seen:2021-03-03 06:31:17 UTC
File type: zip
MIME type:application/zip
ssdeep 192:5eaACrIZzE7EXW8Hsy5FmfkCfJ23M3Os7jFzYTGds0inIoYBQNbyHWi/+0ngCAz/:5ACrK47q3akCfsMe4RIFIoKQNby7gCAb
TLSH 4F32BF82D0D3FE85C556BCBE6DA7549D98E6EA07E6879403C85BE08004CADB341623EC
Reporter abuse_ch
Tags:NanoCore r13 RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: banabay.com
Sending IP: 185.29.8.55
From: Gio Fernandez <colombiama@banabay.com>
Subject: RE: quotations request
Attachment: Quotations.PDF__________________________________________________.r13 (contains "Quotation 2.PDF__________________________________.exe")

NanoCore RAT C2:
uiwsxnumhterwxcbnmowqacvyjngteaxctyhnbtyb.ydns.eu:5906

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.25545.ZipHeur.Ext.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.25560.ZipHeur.Ext.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3398a1743d2bd1a4e2cafa6c0f45e016028e513aa6166928922beb667b594e9f/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-03-03 06:18:10 UTC
AV detection:
21 of 47 (44.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gomkc5b5fpi2jywk7jwa6rpacybi4uj2uylgskesfpvwm62zj2pq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/3398a1743d2bd1a4e2cafa6c0f45e016028e513aa6166928922beb667b594e9f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 3398a1743d2bd1a4e2cafa6c0f45e016028e513aa6166928922beb667b594e9f

(this sample)

NanoCore

Executable exe 990df8e02a4bb9340ab3303a87f2939847653652d9b78819a253c8dde0ed056c

  
Dropping
MD5 ef378bad278d95b87bb6337ad0375a72
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 990df8e02a4bb9340ab3303a87f2939847653652d9b78819a253c8dde0ed056c
  
Dropping
SHA256 93153bf16e8e0660d61c9c9d19ee13ec055b9b7032a543a7b25d5776534b87ed
  
Dropping
MD5 19da03d3a133bf688f3cb42f317b2348

Comments