MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61e5749fd285bc743fec5c8ddb350cf96baed8ee532dc39074e8bbe078a86bf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61e5749fd285bc743fec5c8ddb350cf96baed8ee532dc39074e8bbe078a86bf7
SHA3-384 hash: 635a8a3ec7c699872483a4c4a54b3ca0b9635219949a242a44282cd79b200584267305fef690185376463f80b3576d1d
SHA1 hash: 1f4d6586254a7ff44e74f298e61558625d26fcf1
MD5 hash: 7dc0c4c27b03a708bf7d7c0bd131680b
humanhash: virginia-bluebird-thirteen-minnesota
File name:invoice 1399.arj
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'010'313 bytes
First seen:2020-04-15 11:11:21 UTC
Last seen:Never
File type: arj
MIME type:application/x-rar
ssdeep 24576:XuBHMj52TvphOFMzXUhtBBu5J49aLCgIoNJg5ihpJO:Xu82TDOFMzXUFC2SCKNJg4ps
TLSH 892533EB7BCA560F92717FF98D95BFEAF22592D6610346382871112368DC46E090F263
Reporter abuse_ch
Tags:arj COVID-19 NanoCore nVpn RAT


Avatar
abuse_ch
COVID-19 themed malspam distributing NanoCore RAT:

HELO: contro.com
Sending IP: 94.177.232.203
From: "Roberto Azevêdo" <support@wto.org >
Subject: WTO_INTVTN_COVID-19
Attachment: invoice 1399.arj (contains "AGGA.exe")

NanoCore RAT C2:
79.134.225.116:1985

Hosted at nvpn:


% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Script-AutoIt.Trojan.Aitinject
Create hunting rule
Status:
Malicious
First seen:
2020-04-15 00:01:33 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
29 of 45 (64.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mhsxjh6sqw6hip7mlsg5wnim7fv25whokmw4hedu5c56a6finp3q._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

arj 61e5749fd285bc743fec5c8ddb350cf96baed8ee532dc39074e8bbe078a86bf7

(this sample)

NanoCore

Executable exe ea35338c662bc09f08f43fa39ff9b7ca0ecfc8058ec5a32e63f8d661b3e13101

  
Dropping
MD5 608998e0907b74402ad7115e5f533116
  
Dropping
SHA256 ea35338c662bc09f08f43fa39ff9b7ca0ecfc8058ec5a32e63f8d661b3e13101
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 ea35338c662bc09f08f43fa39ff9b7ca0ecfc8058ec5a32e63f8d661b3e13101

Comments