MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4823140623086754f639b278818558b914011cd912be93b99d029963c7f555a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4823140623086754f639b278818558b914011cd912be93b99d029963c7f555a6
SHA3-384 hash: 4734d8511a54ade35547a6c3a8b9a686ca7ef0d99edf16f8f030e66db6d123aa5a23ee58c8f8464a47ffe1b90601d1e6
SHA1 hash: 7aa801581d18073e1ebbe8f7c72b823e6e34272b
MD5 hash: 3ee77e96c0e9133057df9e967c927322
humanhash: idaho-timing-green-one
File name:Covid-19 Vaccine.gz
Download: download sample
Signature NanoCore
Create hunting rule
File size:245'035 bytes
First seen:2020-03-30 12:49:13 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 6144:tpTSgHjl2BOoGTOWt+6UfNg6H4Tz7PGMsUPSBsbgz:v5kOoM+1g6H4Tz7vHqGkz
TLSH 4B34237A0DFD5D3D3FE980CE2C6DBB56E35C48A66D2F2B65006E46E4622841B3130F69
Reporter abuse_ch
Tags:COVID-19 gz NanoCore RAT


Avatar
abuse_ch
COVID-19 themed malspam dropping NanoCore RAT:

HELO: sv553.xserver.jp
Sending IP: 120.136.10.54
From: CDC Health Alert <shotaro1@jkdcollective.jp>
Subject: CDC-INFO-Corona Virus Viccine found
Attachment: Covid-19 Vaccine.gz (contains "Covid-19 Vaccine")

RemcosRAT C2:
www.rmagent.xyz:10004

Domain resolves to 91.193.75.250:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
descr: We ask all employees of Spamhaus and all self-proclaimed deputy sheriffs
descr: to stop your attacks against us.
country: EU

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoader33.24292.10607.20852.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-03-30 13:35:30 UTC
File Type:
Binary (Archive)
Extracted files:
18
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jarribrdbbtvj5rzwj4idbkyxekachgzck7jhom5akmwhr7vkwta._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

gz 4823140623086754f639b278818558b914011cd912be93b99d029963c7f555a6

(this sample)

NanoCore

Executable exe d0a8b39bc4bd58191a4b6db1a71621e7d9e2e124c05ad01922aafb9eba72205a

  
X
https://twitter.com/c0d3inj3cT/status/1244593577218445317
  
Dropping
MD5 ff3f55a6629ef141e6e3ffb2d14b137c
  
Dropping
SHA256 d0a8b39bc4bd58191a4b6db1a71621e7d9e2e124c05ad01922aafb9eba72205a
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 d0a8b39bc4bd58191a4b6db1a71621e7d9e2e124c05ad01922aafb9eba72205a

Comments