MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45e510c900497d9403675054fdf57d4da0c0223a22fc9e843b273c8798de364d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45e510c900497d9403675054fdf57d4da0c0223a22fc9e843b273c8798de364d
SHA3-384 hash: 6c6c2d607406df23bc9717e563f31ef2c2e111aef9a4baf0d4656157d0f9d9f12b5a44f706952ede2d58df47b5e36db5
SHA1 hash: f38e1229e38f209a2a5047ff9b234d49764344e2
MD5 hash: 1cb86c104be18b418294800ba5224e0b
humanhash: tango-hamper-romeo-nevada
File name:Investigations document Islamic Republic of Iran doc.arj
Download: download sample
Signature NanoCore
Create hunting rule
File size:330'527 bytes
First seen:2020-05-03 08:09:31 UTC
Last seen:Never
File type: arj
MIME type:application/x-rar
ssdeep 6144:LO32TNy/lUAjnZld0jWTmnj8XyCPsNLJ6neE4FnVzYvUlxI0M:LJyd1Td31XyCP6LJ6n+5lYOI7
TLSH CB64231ACDE0B85B95858A6654EA1153A6C336837800CBF89BB49B7CC6C79FF4119CCF
Reporter abuse_ch
Tags:arj geo IRN NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: dharmajaya.co.id
Sending IP: 103.113.170.147
From: دفتر مرکزی پلیس ملی <invitations@posta.hu>
Subject: Fwd:Re:Re:Re:دعوت نهایی نیروی انتظامی ایران.
Attachment: Investigations document Islamic Republic of Iran doc.arj (contains "Investigations document Islamic Republic of Iran doc.exe")

NanoCore RAT C2:
atiku2.duckdns.org:5626 (185.244.30.6)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@FOS-VPN.org'

inetnum: 185.244.30.0 - 185.244.30.255
netname: Freedom_Of_Speech_Foundation_Hungary
remarks: Budapest, Hungary
country: HU
org: ORG-FOSF3-RIPE
admin-c: FOSF1-RIPE
tech-c: FOSF1-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-04-06T19:58:39Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-03 08:35:37 UTC
File Type:
Binary (Archive)
Extracted files:
5
AV detection:
17 of 31 (54.84%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ixsrbsiajf6zia3hkbkp35l5jwqmair2el6j5bb3e46ipgg6gzgq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj 45e510c900497d9403675054fdf57d4da0c0223a22fc9e843b273c8798de364d

(this sample)

NanoCore

Executable exe 92632fa88b730e2593837c7d51884384dcf8c887fd4b8d3cc6741d12ae9cd347

  
Dropping
MD5 a92763d7bd4453551647dd2df4c40b65
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 92632fa88b730e2593837c7d51884384dcf8c887fd4b8d3cc6741d12ae9cd347

Comments