MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63edc7f5313ba51fea2b72f6d33e76cad73fa54d6a5c6682011ac5dca96f1098. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63edc7f5313ba51fea2b72f6d33e76cad73fa54d6a5c6682011ac5dca96f1098
SHA3-384 hash: 8461c9939806cdd1dac39a2986e4d0fe3d76a5b76fe687feda3b529bee155d24519edde71a2ee530562bf575008087e2
SHA1 hash: 6cccde8378aaa04bfb02f6be47562e1b34155995
MD5 hash: 5c90caf26eab0d3b712d0e7bb5630fd6
humanhash: aspen-berlin-spring-four
File name:PROOF OF PAYMENT.7Z
Download: download sample
Signature NanoCore
Create hunting rule
File size:877'470 bytes
First seen:2021-02-01 08:01:23 UTC
Last seen:Never
File type: 7z
MIME type:application/x-rar
ssdeep 24576:eeeZnGvdQjBJu0MrhB7Q8LSLhSrXRzRbqTZ2+JL:eeeZGvGjBM0MRLAQrRFoPJL
TLSH 2E1523A0ADBD74B6D3B738585D62E177DC2FA671D02300249BB02ABDD1E5820D6F45BC
Reporter abuse_ch
Tags:7z NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: nitro.seedhost.eu
Sending IP: 95.168.168.200
From: account dept<account@mweb.co.za>
Reply-To: <hjfanels@gmail.com>
Subject: PROOF OF PAYMENT
Attachment: PROOF OF PAYMENT.7Z (contains "PROOF OF PAYMENT.exe")

NanoCore RAT C2:
amechi.duckdns.org:3190 (185.140.53.131)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-11-06T23:02:44Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63edc7f5313ba51fea2b72f6d33e76cad73fa54d6a5c6682011ac5dca96f1098/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-02-01 08:02:06 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpw4p5jrhosr72rlol3ngptwzllt7jknnjognaqbdlc5zklpccma._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/63edc7f5313ba51fea2b72f6d33e76cad73fa54d6a5c6682011ac5dca96f1098

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

7z 63edc7f5313ba51fea2b72f6d33e76cad73fa54d6a5c6682011ac5dca96f1098

(this sample)

NanoCore

Executable exe 45c4c7350970052a201b3982897ff0247a9c461c60ecf52cd9fdc60aed38ffd7

  
Dropping
MD5 5e5604114794f468c813d4d935a4cdbe
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 45c4c7350970052a201b3982897ff0247a9c461c60ecf52cd9fdc60aed38ffd7

Comments