MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4427d9e2cd3d36f98ac4447961ac50924389d02e2d91dd5780da63d0d7c8810f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4427d9e2cd3d36f98ac4447961ac50924389d02e2d91dd5780da63d0d7c8810f
SHA3-384 hash: f9061a9ebc6f31e7239ba81c1e0fd6cc2b089f96554ac344bda6318bf1520180ae2eddcd5c974c5202c310b9fe60337c
SHA1 hash: 783ab1bc4c8b3903b06098033a22abb6721615f1
MD5 hash: b07d31033088fd75eb2eb194e74aafbc
humanhash: island-london-alanine-leopard
File name:Invoice.img
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'245'184 bytes
First seen:2020-06-02 19:14:57 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 12288:2MhhKAYAJlW7uvOmT5RI53Bh1c+h/Mw5oXRS/PB2:g/AJlW7zQQ5q
TLSH E9458D9C762071EFC857D4729EA81C64EA9078BB931F5613A02B25DDEE4D897CF240F2
Reporter abuse_ch
Tags:img NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: antispam.ktu.edu.tr
Sending IP: 193.140.168.5
From: ahmet.sari@ktu.edu.tr
Subject: Payment has been sent
Attachment: Invoice.img (contains "Invoice.exe")

NanoCore C2:
185.244.29.223:24980

Hosted on nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Genkryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 19:35:50 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
16 of 48 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqt5tywnhu3ptcweir4wdlcqsjbytubofwi52v4a3jr5bv6iqehq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img 4427d9e2cd3d36f98ac4447961ac50924389d02e2d91dd5780da63d0d7c8810f

(this sample)

NanoCore

Executable exe 640ec1c90399bdc31dcb2a5bc4fcfb9b2409d5e00b091eed599a423346475275

  
Dropping
MD5 0f3179899f28704dbf80c53be341d3cc
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 640ec1c90399bdc31dcb2a5bc4fcfb9b2409d5e00b091eed599a423346475275

Comments