MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b5143b685f294c156d2d0b8d3e64eb4874f82dc0c8a40ab5bd8d5dc02f61fe8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b5143b685f294c156d2d0b8d3e64eb4874f82dc0c8a40ab5bd8d5dc02f61fe8
SHA3-384 hash: 947d11946bf8cce853a0d8bd44e805518e318b319c954024f417ddc7547da8a049d4075511bb6fcfba94a18a137834fa
SHA1 hash: f29a91aea486a3a5cbf0820dbbf5d0ab02db78e7
MD5 hash: 2628b10f9c28aa7d04311a2b55f151c1
humanhash: august-cat-xray-michigan
File name:PURCHASE ORDER TOUSE IMPORT EXPORT CO. ,LTD.ZIP FILE.z
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'011'589 bytes
First seen:2020-08-16 18:55:32 UTC
Last seen:Never
File type: z
MIME type:application/x-rar
ssdeep 24576:WC1ix/7tHHO5wX8rBvhS5jALhZr0gkq97ocbNDourX1RarBNNEvd6HLc:WC18/taVBv8ALhJJkq97BuKX1Eid6A
TLSH 9925339257126F11DDFEC791592D8C643CD10E358AA701F97A0B70F8D21EB6BAF23982
Reporter abuse_ch
Tags:NanoCore nVpn RAT z


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: rh1.idcolo.com
Sending IP: 110.232.73.75
From: narendra@csiindonesia.com
Subject: Re: New US order
Attachment: PURCHASE ORDER TOUSE IMPORT EXPORT CO. ,LTD.ZIP FILE.z (contains "PURCHASE ORDER TOUSE IMPORT& EXPORT CO. ,LTD.ZIP FILE.exe")

NanoCore RAT C2s:
johnsuccess18.ddns.net:52943 (41.217.62.17)
185.165.153.114:52943

Hosted on nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU2
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-28T20:37:37Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b5143b685f294c156d2d0b8d3e64eb4874f82dc0c8a40ab5bd8d5dc02f61fe8/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-08-16 18:57:05 UTC
AV detection:
12 of 48 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rniuhnuf6kkmcvws2c4nhzsowsdu7aw4bsfebk233dk5yaxwd7ua._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8b5143b685f294c156d2d0b8d3e64eb4874f82dc0c8a40ab5bd8d5dc02f61fe8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

z 8b5143b685f294c156d2d0b8d3e64eb4874f82dc0c8a40ab5bd8d5dc02f61fe8

(this sample)

NanoCore

Executable exe 4d13350ebf3d38475a0a4a8c223fe6c06e00af3585eb499f60e29639b3944d3f

  
Dropping
MD5 4bff01a5ac23f4170f59fe64ac39050d
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4d13350ebf3d38475a0a4a8c223fe6c06e00af3585eb499f60e29639b3944d3f

Comments