MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75b58f5bbc7789d354609940e2aab3978642818d57bd481e0d83d6ab5f0d277c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 2


Intelligence 2 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75b58f5bbc7789d354609940e2aab3978642818d57bd481e0d83d6ab5f0d277c
SHA3-384 hash: 5d8575127834d90f353c67b85547b4d8acd44436bb6bb7418f0c4386a4a3d8b5bff92715f40d4833b5f2391b91fbfe2d
SHA1 hash: dfdc0f21e696e38d040c3923cf6f9b76cfb7e5fd
MD5 hash: db42c2a5436b084a8ca2cb0c7b661de0
humanhash: maryland-maine-lactose-wyoming
File name:Price Request.img
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'900'544 bytes
First seen:2020-05-28 13:58:05 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 24576:ktb20pkaCqT5TBWgNQ7apA0XnkE2MdUIH2fOrAsU0uc7V6A:NVg5tQ7apxnkEbLrAsU0ucJ5
TLSH 4195D01373DE8365C3B25273BA25B741BE7F782506B1F56B2FD8093DE920122521EA63
Reporter abuse_ch
Tags:img NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: zimbra.fcjcorp.com
Sending IP: 54.158.42.8
From: Richard Carlos <pedro.henrique@medbeta.com.br>
Reply-To: rickshopamericanrental.com@gmail.com
Subject: Price Request
Attachment: Price Request.img (contains "Price Request.exe")

RemcosRAT C2:
u852121.nvpn.so:3410 (91.192.100.17)

Pointing to nVpn:

% Information related to '91.192.100.1 - 91.192.100.63'

% Abuse contact for '91.192.100.1 - 91.192.100.63' is 'abuse@libertas-international.eu'

inetnum: 91.192.100.1 - 91.192.100.63
netname: LIBERTAS_NETWORK
remarks: ----------------------------------------------
remarks: Libertas Network is a VPN service provider.
remarks: We have a strict non-logging policy, therefore
remarks: we don't record any logs on our servers.
remarks: ----------------------------------------------
country: CH
admin-c: LNAD1-RIPE
org: ORG-LNVS1-RIPE
tech-c: LNAD1-RIPE
status: ASSIGNED PA
mnt-by: MNT-DA327
created: 2019-12-12T08:51:11Z
last-modified: 2020-02-10T07:01:46Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27681.XorExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Aitinject
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 15:02:17 UTC
File Type:
Binary (Archive)
Extracted files:
27
AV detection:
15 of 48 (31.25%)
Threat level:
  5/5
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img 75b58f5bbc7789d354609940e2aab3978642818d57bd481e0d83d6ab5f0d277c

(this sample)

NanoCore

Executable exe ec26f9149aac76311a81fb642bb6c1b2e69af1b8b4752e66b5b5aec3fb99a35f

  
Dropping
MD5 a03bd09ad61237d0c0ee6aa814ef3499
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 ec26f9149aac76311a81fb642bb6c1b2e69af1b8b4752e66b5b5aec3fb99a35f

Comments