MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c321c5bdc82d554ea695bb5927a9c23ffa7dd9301fabc68981ad4e0ac956a51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 1 Yara 1 Comments

SHA256 hash: 3c321c5bdc82d554ea695bb5927a9c23ffa7dd9301fabc68981ad4e0ac956a51
SHA3-384 hash: 8500375b551bd0f77cf5010952a8bd9533d5fddc203be9a4d92a70fc5649060c165dd15ff1465d38299145181778856c
SHA1 hash: 9ee2b02b3bc95d1ecaf9699198474e63c7b6d367
MD5 hash: 557d7d397e7566fde718dd615add8e67
humanhash: music-edward-echo-purple
File name:INV3677290.xlsx
Download: download sample
Signature NanoCore
File size:612'352 bytes
First seen:2020-06-30 07:14:24 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/encrypted
ssdeep 12288:QWslYNYsOHfN3gvF7AtwR26l3lhZsUEet/p5X4ZW+dWpR:FZK13gt7AtwR26BjC/et/pWrdWp
TLSH 0AD4238274D1DF2BE8A61CB84B69147C1D2DFC929B8AC0C5530D7728153CABCB79BB64
Reporter @cocaman
Tags:NanoCore xlsx


Twitter
@cocaman
Malicious email
From: "sales"<ealmonte@travers.com>
Received: from smtp3.cortmot-trading.cf (smtp3.cortmot-trading.cf [45.66.250.10])
Date: Tue, 30 Jun 2020 05:20:24 +0200
Subject: Pending Order #23741202-00
Attachment: INV3677290.xlsx

Intelligence


Mail intelligence
Trap location Impact
DE Germany Low
Global High
CH Switzerland Low
IT Italy Low
# of uploads 1
# of downloads 32
Origin country FR FR
ClamAV PUA.Doc.Packed.EncryptedDoc-6563700-0
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/3c321c5bdc82d554ea695bb5927a9c23ffa7dd9301fabc68981ad4e0ac956a51/
ReversingLabs :Status:Malicious
Threat name:Document-Word.Exploit.CVE-2017-11882
First seen:2020-06-30 04:03:41 UTC
AV detection:26 of 48 (54.17%)
Threat level:   5/5
Spamhaus Hash Blocklist :Suspicious file
Hatching Triage Score:   10/10
Malware Family:nanocore
Link: https://tria.ge/reports/200630-4a7357y57j/
Tags:persistence evasion trojan keylogger stealer spyware family:nanocore
Config extraction:mogs20.hopto.org:1085
185.244.30.251:1085
VirusTotal:Virustotal results 36.67%

Yara Signatures


Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Excel file xlsx 3c321c5bdc82d554ea695bb5927a9c23ffa7dd9301fabc68981ad4e0ac956a51

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments