MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 690fd66b2d2844fa4bd98c0b1f79fbf7fe9c38c5f187d1ee05757bda9c28984e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 1 Comments

SHA256 hash: 690fd66b2d2844fa4bd98c0b1f79fbf7fe9c38c5f187d1ee05757bda9c28984e
SHA3-384 hash: 4eb44703afc3ec9c946ef4d6e200117995529630b955ecc6d2d74300a13ca9030563f43872a0a0bb04d45a3db26843c5
SHA1 hash: e004388f83243650ed3dd97564d0ba7461560538
MD5 hash: c6bed0ae958f524c96ea66abe4388143
humanhash: hydrogen-magazine-summer-princess
File name:COVID-19 PALLIATIVES BONUS ON PAGA.xlsx.scr
Download: download sample
Signature NanoCore
File size:1'465'856 bytes
First seen:2020-06-16 10:54:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7
ssdeep 24576:lAHnh+eWsN3skA4RV1Hom2KXMmHafEHgqKs31lHJ7MjDQk929/13BUprdwtT5:Uh+ZkldoPK8Ya8HgqKs31lHJ7MjDZ2E6
TLSH 3A65AF033780C079FFAA91B36B16E24467BDAC798127951E27C82ABA6DF05B1163D713
Reporter @abuse_ch
Tags:COVID-19 NanoCore nVpn RAT scr


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: vps11112.inmotionhosting.com
Sending IP: 192.145.237.232
From: Paga comms <no-reply@mypaga.com>
Reply-To: Paga comms <PAGAA@mail.com>
Subject: COVID-19 PALLIATIVES BONUS ON PAGA
Attachment: COVID-19 PALLIATIVES BONUS ON PAGA.xlsx.zip (contains "COVID-19 PALLIATIVES BONUS ON PAGA.xlsx.scr")

NanoCore RAT C2:
grace532.publicvm.com:7171 (79.134.225.76)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
30
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Predator
Status:
Malicious
First seen:
2020-06-16 10:56:05 UTC
AV detection:
26 of 31 (83.87%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run entry to start application
Drops startup file

Yara Signatures


Rule name:win_blackshades_w0
Author:Jean-Philippe Teissier / @Jipe_

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe 690fd66b2d2844fa4bd98c0b1f79fbf7fe9c38c5f187d1ee05757bda9c28984e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments