MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ee0c209fbcc8251c6012112c71dd78005cd9b2aaa89aee722208e34523f2fea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ee0c209fbcc8251c6012112c71dd78005cd9b2aaa89aee722208e34523f2fea
SHA3-384 hash: d59b6a34c78c8c7e6c94cd89d2af43efcf4b7421dd03acb46aa0c253722aa1e1cd32b755adc8af54f69fddee1e066039
SHA1 hash: 8b5a2db633d4cb85cb650049f1dec18d3bc0a022
MD5 hash: f45c7ad8f893b2d233049041b4679b18
humanhash: maine-lima-beer-bacon
File name:PROOF OF PAYMENT.rar
Download: download sample
Signature NanoCore
Create hunting rule
File size:345'020 bytes
First seen:2020-07-07 09:23:06 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 6144:2Bl//uHF/gltphNAkwotDHtrK7dj6gMo8WljQ9X9UxypLYlvoecwKloj3KYn21:2X/WHiXNAk1trBKROlo75Q9KyYlvovwS
TLSH 6374234FC9136E253C98415C67F863BBDD4D563BD81E484668C0784E9B6BBAB030C99F
Reporter abuse_ch
Tags:NanoCore nVpn rar RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: stpauls.stpaulsl.local
Sending IP: 97.82.28.20
From: ASETLINE FINANCE<asetline.za@gmail.com>
Reply-To: <asetline.za@gmail.com>
Subject: PROOF OF PAYMENT
Attachment: PROOF OF PAYMENT.rar (contains "PROOF OF PAYMENT.exe")

NanoCore RAT C2:
nansedd.duckdns.org:2133 (194.5.99.13)

Pointing to nVpn:

% Information related to '194.5.99.0 - 194.5.99.255'

% Abuse contact for '194.5.99.0 - 194.5.99.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.99.0 - 194.5.99.255
netname: INTER_CLOUD_SERVICES_RUSSIA
admin-c: ICTR1-RIPE
tech-c: ICTR1-RIPE
org: ORG-ICR2-RIPE
country: RU
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-07-20T20:42:53Z
last-modified: 2020-07-04T13:20:18Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ee0c209fbcc8251c6012112c71dd78005cd9b2aaa89aee722208e34523f2fea/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 09:25:06 UTC
AV detection:
17 of 31 (54.84%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3qmecp3zsbfdrqbeejmohoxqac43gzkvke25zzcechdiur7f7va._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 4ee0c209fbcc8251c6012112c71dd78005cd9b2aaa89aee722208e34523f2fea

(this sample)

NanoCore

Executable exe e4174e1702d046eb696fb13f9d7be26c7b519179ac94212ce61de97ed586cf10

  
Dropping
MD5 bb18d890356392ddf87214800ce5d539
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 e4174e1702d046eb696fb13f9d7be26c7b519179ac94212ce61de97ed586cf10

Comments