MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e45843aa42e4e8b684254d51c0427e2133636a3dbbe2a337708048c8501c9b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e45843aa42e4e8b684254d51c0427e2133636a3dbbe2a337708048c8501c9b3
SHA3-384 hash: 74f9c1070cda30ca482ee387a72760835d0933c071bcae7cfc55b4bed64a6dc1ff2988e5d2c9d49d06b81edf237e9644
SHA1 hash: 9e8b3292ef33420c58d532648d24cceaec1474b4
MD5 hash: bb8115af78e5311fa6ecf099ec60bccb
humanhash: ten-lamp-social-arkansas
File name:DHL AWB TRACKING DETAIL.PDF.z
Download: download sample
Signature NanoCore
Create hunting rule
File size:454'584 bytes
First seen:2020-12-08 07:50:22 UTC
Last seen:Never
File type: z
MIME type:application/x-rar
ssdeep 12288:E7KGtTKk24SAdMv7E0gbGzb89QlEXJytFfjBCJ6j9NYG:E7K8KsSQg7BgisQztBhj0G
TLSH 8AA423FBBC06CD6407E9979D41A120CC7274291B41A58EEDF379891D220CBB726A7E1F
Reporter abuse_ch
Tags:DHL NanoCore nVpn RAT z


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: mail.aretering.ga
Sending IP: 188.225.58.123
From: DHL DELIVERY OFFICE <info@aretering.ga>
Subject: COMMERCIAL INVOICE AND BILL OF LANDING... 12/08/2020
Attachment: DHL AWB TRACKING DETAIL.PDF.z (contains "DHL AWB TRACKING DETAIL.exe")

NanoCore RAT C2:
chinomso.duckdns.org:7688 (194.5.98.56)

Pointing to nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.98.0 - 194.5.98.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-NO
country: NO
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-04-26T16:42:54Z
last-modified: 2020-10-07T21:35:29Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Result
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e45843aa42e4e8b684254d51c0427e2133636a3dbbe2a337708048c8501c9b3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 07:51:04 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nzcyiovefzhiw2ccktkrybbh4ijtmnvd3o7cum3xbacizbibzgzq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6e45843aa42e4e8b684254d51c0427e2133636a3dbbe2a337708048c8501c9b3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z 6e45843aa42e4e8b684254d51c0427e2133636a3dbbe2a337708048c8501c9b3

(this sample)

NanoCore

Executable exe f1eee793a63b26c3b031faad22f15c106caeda0b91800efab5d3c10791806293

  
Dropping
MD5 f775f38a9f3a0dfe8dc4d3012a0a5e8f
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f1eee793a63b26c3b031faad22f15c106caeda0b91800efab5d3c10791806293

Comments