MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79c7be0e2d5b02f5ab3d907504d1c31d21acb7abec48bfd6b3ca3bf978ea8a2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79c7be0e2d5b02f5ab3d907504d1c31d21acb7abec48bfd6b3ca3bf978ea8a2f
SHA3-384 hash: c1f1a8261f284c33fbd6d5315e4206c9d06877f3bc630a95e746b0c5550ed9ce21e7dfdf157859ef8881e5e0251940dd
SHA1 hash: 2343020277a3ecd6e954dd298693bb9223435eae
MD5 hash: 308b2de9d3ec5013b851418520719fcc
humanhash: mobile-leopard-helium-mirror
File name:NEW ORDER.zip
Download: download sample
Signature NanoCore
Create hunting rule
File size:437'307 bytes
First seen:2020-05-05 11:02:30 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:dczVkVeGgDukPlM20SCUixtCYRdpkrBpaCH/VZm+9JlV0c+2GoEG3TfOXTo0F/Z9:dcWV4P6TlXdHq7h9R9+2H3TSj3pb
TLSH 4F9423B5034E1F17799483DFA9C3487BDBB81C07B4526843998CA5DB0846FD226FA5AC
Reporter abuse_ch
Tags:NanoCore nVpn RAT zip


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: cmsa501.odn.ne.jp
Sending IP: 210.134.90.1
From: Michilov Vasilev<sano1@eto.co.jp>
Subject: RE: AW: Our Request for Order
Attachment: NEW ORDER.zip (contains "NEW ORDER.exe")

NanoCore RAT C2:
som2020.zapto.org:1165 (185.140.53.6)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@FOS-VPN.org'

inetnum: 185.140.53.0 - 185.140.53.255
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: 185.140.53.0/24 belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
country: EU
org: ORG-SL751-RIPE
admin-c: SL12644-RIPE
tech-c: SL12644-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-04-06T18:59:49Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EJWW.19248.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.24143.ZipHeur.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Rdn
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 11:37:00 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
21 of 45 (46.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=phd34drnlmbplkz5sb2qjuodduq2zn5l5rel7vvtzi57s6hkrixq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip 79c7be0e2d5b02f5ab3d907504d1c31d21acb7abec48bfd6b3ca3bf978ea8a2f

(this sample)

NanoCore

Executable exe 8ff1070136cd6c74a1c79964233004f87434efb65bfc8dc5caf986bd62f12d86

  
Dropping
MD5 f0f7a4fd4ae11a32f44c846af92e71e0
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 8ff1070136cd6c74a1c79964233004f87434efb65bfc8dc5caf986bd62f12d86

Comments