MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8108c1b8ab90330b42d1097bd7aa2f49163c4c1140cba33a70d5164674c016e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8108c1b8ab90330b42d1097bd7aa2f49163c4c1140cba33a70d5164674c016e0
SHA3-384 hash: e6ee51f122e71c98e041e12b9ba061f88e3b389bf1e1280c0add91942422c39d0f9b876fa30923e8601956f2fb67031c
SHA1 hash: f1aecafb6325c1ee79c4bfabe275f07836a2ac86
MD5 hash: 546498da853f5068700763ad369fb6f2
humanhash: whiskey-wyoming-ink-quiet
File name:NUEVO PO 7609EF66,pdf.iso
Download: download sample
Signature NanoCore
Create hunting rule
File size:507'904 bytes
First seen:2020-10-14 15:09:03 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 768:ntctnzwDja4+EBXPF8ozYeU+68jO0hIQGNK/2/iGgGiMkIKbQQZZKdM8sScR9Ap+:VxK+nTGNaG29AqSjpPeRUf
TLSH AAB4230A7259CF51C42F10B8C997C1F593B33DB9DD488FE336C9BE9675B22852A06683
Reporter abuse_ch
Tags:iso NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: plesk1.enpatagonia.net
Sending IP: 209.126.124.211
From: BOMI DE CHILE <sales@bomigroup.com>
Subject: NUEVO PO # 7609EF66
Attachment: NUEVO PO 7609EF66,pdf.iso (contains "NUEVO PO # 7609EF66,pdf.exe")

NanoCore RAT C2:
godfavour234.ddns.net:3431 (79.134.225.76)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE


Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8108c1b8ab90330b42d1097bd7aa2f49163c4c1140cba33a70d5164674c016e0/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 20:05:18 UTC
AV detection:
16 of 48 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qeemdoflsazqwqwrbf55pkrpjeldytaridf2gotq2ulem5gac3qa._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8108c1b8ab90330b42d1097bd7aa2f49163c4c1140cba33a70d5164674c016e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso 8108c1b8ab90330b42d1097bd7aa2f49163c4c1140cba33a70d5164674c016e0

(this sample)

NanoCore

Executable exe 2bf089ca557a9f45614b8c69d1e99c2865ccce16d5623d43f058421ddd16e3e4

  
Dropping
MD5 b38da63125504acc8e034a8feadc6000
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2bf089ca557a9f45614b8c69d1e99c2865ccce16d5623d43f058421ddd16e3e4

Comments