MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40b5b5c2ec38581616fce2f92f20dd5fa4f1cc1a5fcd516283d8ed752b67bf2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40b5b5c2ec38581616fce2f92f20dd5fa4f1cc1a5fcd516283d8ed752b67bf2b
SHA3-384 hash: 9806c262c10daa3b9041c60f655a2eca5baa336dcb0386c6dc25fd6c0a7a89e1f80d39419f5f4d904252f51c8a2c32aa
SHA1 hash: ff159f4dc3691a07ce12509e6cc57a1b59d97088
MD5 hash: 9a3b5733f3db497fbc43a3a8bb1c78f0
humanhash: blue-london-carpet-bulldog
File name:Anti_ covid19_Iwantani_vietnam_co.arj
Download: download sample
Signature NanoCore
Create hunting rule
File size:341'603 bytes
First seen:2020-04-14 09:41:18 UTC
Last seen:Never
File type: arj
MIME type:application/x-rar
ssdeep 6144:OOXAJy+XaWlFA57GIHNywzstME73OKqE3bMy1oS3bZv4LCUJgtfNLTRnsqcNZt7c:OEuRKWPAlGIMtM4OKl3bMyv3bZv4LCUE
TLSH 507423588D1D5F7A23695C21E518FE233CDB7AC437790EEA6915C160683ACEE2E36708
Reporter abuse_ch
Tags:arj COVID-19 NanoCore nVpn RAT


Avatar
abuse_ch
COVID-19 themed malspam distributing NanoCore RAT:

HELO: s1.1webhostingindia.com
Sending IP: 67.43.15.82
From: Iwatani Vietnam <nhule.iwatani@gmail.com>
Subject: Anti-covid-19 items
Attachment: Anti_ covid19_Iwantani_vietnam_co.arj (contains "Anti_ covid19_Iwantani_vietnam_co.exe")

NanoCore RAT C2:
185.244.29.199:4488

Hosted on nvpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-14 10:35:28 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
15 of 31 (48.39%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ic23lqxmhbmbmfx44l4s6ig5l6spdta2l7gvcyud3dwxkk3hx4vq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj 40b5b5c2ec38581616fce2f92f20dd5fa4f1cc1a5fcd516283d8ed752b67bf2b

(this sample)

NanoCore

Executable exe 29afa981ce52f6dad0abae61dbb87c09fa3cf5b8a0aa6fafc0f59d3796a8dbb4

  
Dropping
MD5 cee5488729e74df7282c349ef4de61cc
  
Dropping
SHA256 29afa981ce52f6dad0abae61dbb87c09fa3cf5b8a0aa6fafc0f59d3796a8dbb4
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 29afa981ce52f6dad0abae61dbb87c09fa3cf5b8a0aa6fafc0f59d3796a8dbb4

Comments