MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 3ef6bbe4ce97623e0fd6fd42d61357c04509a4b422089ed1a0691903dd2a7d24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
NanoCore
Vendor detections: 4
| SHA256 hash: | 3ef6bbe4ce97623e0fd6fd42d61357c04509a4b422089ed1a0691903dd2a7d24 |
|---|---|
| SHA3-384 hash: | de06b184a5226cef556d501a12b49fdab3666f341ff3f8961c513cb04ed4f185a75ee92eddb18d3432afcb415d161c89 |
| SHA1 hash: | 7dbe954cdf4cee010bad0dcbd7e05d99db6da358 |
| MD5 hash: | eeaa3642e81d97d9ba5fbc5cf0ea2210 |
| humanhash: | montana-don-echo-louisiana |
| File name: | SCAN_COPY_364992946.PDF.Z |
| Download: | download sample |
| Signature | NanoCore |
| File size: | 510'547 bytes |
| First seen: | 2020-12-22 07:25:45 UTC |
| Last seen: | 2020-12-24 08:31:32 UTC |
| File type: | zip |
| MIME type: | application/zip |
| ssdeep | 12288:oYIXtNHY6FBT8EShro8boExqRq5i3uRTqkgQu0NEYCJJPsmet:oYIXtN9p8rwExQq5iuRmkgQlD |
| TLSH | 87B423D01A71B5A80B8BD1F9813A0450F1B7937465FA6C20F13EE11CBB9FAC27E89D52 |
| Reporter |  abuse_ch |
| Tags: | NanoCore nVpn RAT z |
abuse_ch
Malspam distributing NanoCore:HELO: somaci.com
Sending IP: 45.153.240.198
From: Megawin Switchgear P Ltd<sales.totalmaritime@outlook.com>
Subject: END OF YEAR ORDER
Attachment: SCAN_COPY_364992946.PDF.Z (contains "SCAN_COPY_364992946.exe")
NanoCore RAT C2:
mrjeffy.duckdns.org:2727 (79.134.225.6)
Pointing to nVpn:
% Information related to '79.134.225.0 - 79.134.225.127'
% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'
inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE
Intelligence
File Origin
# of uploads :
4
# of downloads :
356
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Status:
Malicious
First seen:
2020-12-22 06:18:04 UTC
AV detection:
26 of 48 (54.17%)
Threat level:
5/5
Detection(s):
Malicious file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe Dropping
NanoCore
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.