MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ca8fab40fbbaf3d389adce9db716872bd31e98e712488d5487d10612ef91ad6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ca8fab40fbbaf3d389adce9db716872bd31e98e712488d5487d10612ef91ad6
SHA3-384 hash: d325223391ee2a959ac3a4aeb5076e996c917a7d02fdaf1b5bf01a4ca9045f2334c0d5e5d385f824fcbe945f7f3250ee
SHA1 hash: e0783fc7e85a011fe033ddb9f3d8e236b6e03f27
MD5 hash: bceb426ca536e83d333d9be4592ca40f
humanhash: yankee-coffee-twenty-hotel
File name:final bill copy 28.6.2020.zip
Download: download sample
Signature NanoCore
Create hunting rule
File size:236'318 bytes
First seen:2020-06-29 07:36:33 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:ic3LXQ8HFoOqBhu1OiqAbxjJBn2LxRzHLPe68xDXXE/hx:iULXvWOZOjuxjJB2jP+xrAx
TLSH 073422774AC023A5F6B9CD5426E5FC75784026D920BF6EA3E358078E09EC8B79860C5D
Reporter abuse_ch
Tags:NanoCore nVpn RAT zip


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: masterall10.rapidns.com
Sending IP: 180.149.242.95
From: Export <exports@inmaenterprises.com>
Subject: final shipping bill copy // INMA RE: Shipment for Amsterdam In001
Attachment: final bill copy 28.6.2020.zip (contains "final bill copy 28.6.2020.exe")

NanoCore RAT C2:
officezafar.hopto.org:3575 (79.134.225.105)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ca8fab40fbbaf3d389adce9db716872bd31e98e712488d5487d10612ef91ad6/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-06-29 07:38:05 UTC
AV detection:
9 of 48 (18.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hsupvnapxoxt2oe23tu5w4liok6td2mooesirvkipuigclxzdlla._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 3ca8fab40fbbaf3d389adce9db716872bd31e98e712488d5487d10612ef91ad6

(this sample)

NanoCore

Executable exe cb5eb4758a41046a2f3fc084731d756aedf8ea212dc08c9bb2e6cd7f5eff6cae

  
Dropping
MD5 cdb11d14d3d4d9629af79ca24674574b
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 cb5eb4758a41046a2f3fc084731d756aedf8ea212dc08c9bb2e6cd7f5eff6cae

Comments