MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 515b3f79e9567cc9e08b708c730e72bf57713359183766385686ba7eb631909c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 515b3f79e9567cc9e08b708c730e72bf57713359183766385686ba7eb631909c
SHA3-384 hash: 559f47405368ddee96a1cc3f3b8adee76d7bda6c6a867658cf61aa84b27ea140848db70526c0564f2010c5375a6671e0
SHA1 hash: 9e388456858f25db6d3c56e492614a18811a20cc
MD5 hash: 4a678f4fbfaf74d5905aefe922644cd4
humanhash: fish-coffee-eleven-november
File name:Receipt.img
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'638'400 bytes
First seen:2020-07-18 08:52:44 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 12288:7MLrMnqjzGYIdjMxMSo15GXacXYp3uyAjrMnnm3cg1ptsNiezG8aOytp4N2k4zU+:7+rvxguwcLjrF1pWigvyMH
TLSH 43755BF7964982DEC49F8EB8C4924B300587ED89F1F9920B03677C36767EBA0D985067
Reporter abuse_ch
Tags:img NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: comworks.servercontrol.com.au
Sending IP: 27.50.88.49
From: Accounts <billacceptance@payment.com>
Reply-To: johnnieanderson833@gmail.com
Subject: Receipt
Attachment: Receipt.img (contains "Receipt.exe")

NanoCore RAT C2:
u852117.nvpn.to:5638 (194.5.98.154)

Hosted on nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.98.0 - 194.5.98.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-NOR
country: NO
descr: Sandefjord
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-04-26T16:42:54Z
last-modified: 2020-07-14T18:04:10Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43510120.7868.32493.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/515b3f79e9567cc9e08b708c730e72bf57713359183766385686ba7eb631909c/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2020-07-18 06:32:16 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfnt66pjkz6mtyelocghgdtsx5lxcm2zda3wmocwq25h5nrrscoa._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/515b3f79e9567cc9e08b708c730e72bf57713359183766385686ba7eb631909c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img 515b3f79e9567cc9e08b708c730e72bf57713359183766385686ba7eb631909c

(this sample)

NanoCore

Executable exe ba3c522ea04c73aaeca836f3e37bf9a04f60db03e319cbd3f94d3a7600d56bd0

  
Dropping
MD5 0b8c072acb22101c098010cec8d903c2
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 ba3c522ea04c73aaeca836f3e37bf9a04f60db03e319cbd3f94d3a7600d56bd0

Comments