MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ca1b530ce016f01395cb639e3e1912ffd51541b8119b166a2e84607edcfe745. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ca1b530ce016f01395cb639e3e1912ffd51541b8119b166a2e84607edcfe745
SHA3-384 hash: 80a7447d4c8ce2c11a1ac96e747c6c1ad5f13f71f255461836999ed16d5bb8b4a85e21ee3c8ba68c0b53913defc82772
SHA1 hash: 47cfdb2703e5228e74a41086f2dc18eae7dfcc70
MD5 hash: 2a45c86e223c1ddb8c55393d484ea036
humanhash: river-green-paris-minnesota
File name:STMPO3683HK.pdf.zip
Download: download sample
Signature NanoCore
Create hunting rule
File size:447'316 bytes
First seen:2020-07-08 06:56:18 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:lG9noOgCX5WFm9l8a8BCxUzd032YTprbw0dM:lgo7CX6mo9y2e9bwwM
TLSH 93942352E06C60FCD23F34EECAC08395F8699157258B9B24DF4C8FAA6390D5678BB534
Reporter abuse_ch
Tags:NanoCore nVpn RAT zip


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: cloud.spring.net.in
Sending IP: 103.127.29.248
From: Maria Sohail <acct1@vinflair.com>
Subject: Re: Outstaning Statement
Attachment: STMPO3683HK.pdf.zip (contains "STMPO3683HK.exe")

NanoCore RAT C2:
darlingtondc.hopto.org:1905 (185.165.153.17)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ca1b530ce016f01395cb639e3e1912ffd51541b8119b166a2e84607edcfe745/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-08 06:58:06 UTC
AV detection:
34 of 48 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hsq3kmgoafxqcok4wy46hymrf76vcva3qem3czvc5bdap3op45cq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 3ca1b530ce016f01395cb639e3e1912ffd51541b8119b166a2e84607edcfe745

(this sample)

NanoCore

Executable exe 9eb1cd61e77d7133bd5252c9c7574d4171ba60c856dbedd15754c5b0e3c827b4

  
Dropping
MD5 76a8f2eb76dce33384b6eae299b861cd
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 9eb1cd61e77d7133bd5252c9c7574d4171ba60c856dbedd15754c5b0e3c827b4

Comments