MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85aaf0f327e13819260da3bec2a794b8f5f1023134829b04b349903d3d14d10f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85aaf0f327e13819260da3bec2a794b8f5f1023134829b04b349903d3d14d10f
SHA3-384 hash: 5d8809246ffbcb2ecec9d364af7a6d2ac142111643857ef69a275003b2397de8c857fa241c94770ab4fee8bc02c6afa1
SHA1 hash: 68e936c26eee74b76927020726b8054acedddc0d
MD5 hash: 210b29abe2ed69bfe9ef2ce3a5574a77
humanhash: snake-magazine-california-nuts
File name:R.F.Q.05112020..gz
Download: download sample
Signature NanoCore
Create hunting rule
File size:928'101 bytes
First seen:2020-05-11 09:19:23 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 24576:oCuhfluMFDZcKjlytRN0XT+pA5WgriIXJK3Fj:oCutlJZcKjqYKpyrKFj
TLSH 671533E6B7D384E5998DFF161B0D27AE69407563B405B87B4CB8C280EFD6B9186A0DC0
Reporter abuse_ch
Tags:gz NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: qproxy2.mail.unifiedlayer.com
Sending IP: 69.89.16.161
From: Freda <jack.wangg@zoho.com>
Reply-To: sparesmrrn@gmail.com
Subject: REQUEST FOR QUOTATION
Attachment: R.F.Q.05112020..gz (contains "R.F.Q.exe")

NanoCore RAT C2:
185.244.29.132:1985

Hosted on nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 09:36:34 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
17 of 48 (35.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qwvpb4zh4e4bsjqnuo7mfj4uxd27carrgsbjwbftjgid2piu2ehq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

gz 85aaf0f327e13819260da3bec2a794b8f5f1023134829b04b349903d3d14d10f

(this sample)

NanoCore

Executable exe 43e1811a05462e842241e679ba6735adbec0b5e24892df70a411f884d07500d5

  
Dropping
MD5 c61c73498de65a9ff66b2414830e6acf
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 43e1811a05462e842241e679ba6735adbec0b5e24892df70a411f884d07500d5

Comments