MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48d026cc763afe9192fc935b2ff637f9ea6763999c72394b82159dae2d8323ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48d026cc763afe9192fc935b2ff637f9ea6763999c72394b82159dae2d8323ea
SHA3-384 hash: 79eb8870c900a6a6805916c6634ff44ffee0f6fa27fb1a9b67b585efd3e556d63c205315c9899638202476cbd7bc27bd
SHA1 hash: b50fc8ff5808ae8637ea0708d68f873271f374ee
MD5 hash: 69c2d4ec8006fd78f8e5e4c21d052e0d
humanhash: fruit-pluto-venus-seventeen
File name:PO87484.gz
Download: download sample
Signature NanoCore
Create hunting rule
File size:576'546 bytes
First seen:2020-06-17 05:57:53 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 12288:vxSF1YECw7uqGqJjGFMeigYFcLLR+uSoVYmOY:vxSLHCH2JjGukUuSommOY
TLSH 99C423C5D38ABBBB216B1E851B54658902ACC86C4BEE057045C4A4FF7887B16EF32773
Reporter abuse_ch
Tags:gz NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: smtp2.omasisda.tk
Sending IP: 46.105.81.72
From: linda@china-power-contractor.cn
Subject: RE: Fw: PO #00087484
Attachment: PO87484.gz (contains "PO87484.exe")

NanoCore RAT C2:
maggii.myq-see.com:20207 (79.134.225.111)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Adware.Generic4.BBFB.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Chisburg
Create hunting rule
Status:
Malicious
First seen:
2020-06-17 05:59:04 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdicntdwhl7jdex4snns75rx7hvgoy4ztrzdss4ccwo24lmdepva._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

gz 48d026cc763afe9192fc935b2ff637f9ea6763999c72394b82159dae2d8323ea

(this sample)

NanoCore

Executable exe 2ef3f42f0c9dfe67e9d4e2abbddf68c9195f8d6aa96b681e810f23303a459b4e

  
Dropping
MD5 daff0f22eb3a5b1bef1059ff317a13ae
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2ef3f42f0c9dfe67e9d4e2abbddf68c9195f8d6aa96b681e810f23303a459b4e

Comments