MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4238bac1e124c06377fec89e4e53247de20a383a1735fca78e0e3f76c9ab2838. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4238bac1e124c06377fec89e4e53247de20a383a1735fca78e0e3f76c9ab2838
SHA3-384 hash: 1db1c98bff074246a1e4c1f4e05dd2579b873fa437b4c6fcea57ae4befc86f2c4a5b0fdc01d46a58769aea48d2b4aa32
SHA1 hash: 9923c905902d0b56844b71e79c797b4c8f0f4dcf
MD5 hash: 546333334a80675886ab06aa9540b64d
humanhash: island-nine-moon-robin
File name:Doc_0210_10_07_2020.pdf.zip
Download: download sample
Signature NanoCore
Create hunting rule
File size:501'240 bytes
First seen:2020-07-10 07:27:00 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:y51C93IayosWQacpx74QfJdSiCH4G3yRG7nuZWll:yvK3RRQaS54QfJdSiCH4G77
TLSH CDB423FDA824949B0DAF86FCAFE40F315991307915DEEB137A6B03249C596451CBF428
Reporter abuse_ch
Tags:NanoCore nVpn RAT zip


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: cloud.spring.net.in
Sending IP: 103.127.29.248
From: Monica Cheng (Mrs) <account@gndc-ups.com>
Subject: Re: Inquiry(PO)
Attachment: Doc_0210_10_07_2020.pdf.zip (contains "Doc_0210_10_07_2020.exe")

NanoCore RAT C2:
darlingtondc.hopto.org:1905 (185.165.153.17)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.2197.30182.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4238bac1e124c06377fec89e4e53247de20a383a1735fca78e0e3f76c9ab2838/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-10 07:28:05 UTC
AV detection:
31 of 48 (64.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ii4lvqpbetagg576zcpe4uzepxrauob2c427zj4oby7xnsnlfa4a._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 4238bac1e124c06377fec89e4e53247de20a383a1735fca78e0e3f76c9ab2838

(this sample)

NanoCore

Executable exe 2555c6b4e0ce36a2851a552bfdea36410360e55a877ff6028458b14088062c37

  
Dropping
MD5 68ee59f932e6c609036437d1c052e884
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2555c6b4e0ce36a2851a552bfdea36410360e55a877ff6028458b14088062c37

Comments