MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9973ff08337e84d15ceaa51863c1b0c26fd6c31c51a76916174410eb077cde6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 9973ff08337e84d15ceaa51863c1b0c26fd6c31c51a76916174410eb077cde6f
SHA3-384 hash: 900507ec1a4cbe376b091395ef832ec93f31c415513f6cb1088a003173efe0eb30b08dca6c68a34bd40aff138fd48506
SHA1 hash: 31e944a9ba467f308d39df3342db5b614b75f478
MD5 hash: 9fd04b84f91d61efbc538a9a309e8e11
humanhash: angel-tennessee-violet-illinois
File name:USPS.IMG
Download: download sample
Signature NanoCore
File size:1'900'544 bytes
First seen:2020-06-17 18:15:31 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 24576:qtb20pkaCqT5TBWgNQ7acSi0NxuYCupJskuM6A:XVg5tQ7ac6xu7khf5
TLSH 5095AE12339D8261F27D61737A156701EE7BE8250361B4E72FB68B3CAB131A1073A767
Reporter @abuse_ch
Tags:img NanoCore nVpn RAT USPS


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: zimbra.fcjcorp.com
Sending IP: 54.158.42.8
From: USPS Dispatch <pedro.henrique@medbeta.com.br>
Reply-To: NOREPLY@USPS.COM
Subject: Pickup
Attachment: USPS.IMG (contains "USPS.exe")

NanoCore RAT C2:
u852121.nvpn.to:3410 (91.192.100.17)

Pointing to nVpn:

% Information related to '91.192.100.1 - 91.192.100.63'

% Abuse contact for '91.192.100.1 - 91.192.100.63' is 'abuse@libertas-international.eu'

inetnum: 91.192.100.1 - 91.192.100.63
netname: LIBERTAS_NETWORK
remarks: ----------------------------------------------
remarks: Libertas Network is a VPN service provider.
remarks: We have a strict non-logging policy, therefore
remarks: we don't record any logs on our servers.
remarks: ----------------------------------------------
country: CH
admin-c: LNAD1-RIPE
org: ORG-LNVS1-RIPE
tech-c: LNAD1-RIPE
status: ASSIGNED PA
mnt-by: MNT-DA327
created: 2019-12-12T08:51:11Z
last-modified: 2020-02-10T07:01:46Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
36
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Predator
Status:
Malicious
First seen:
2020-06-17 18:36:28 UTC
AV detection:
18 of 31 (58.06%)
Threat level
  5/5

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img 9973ff08337e84d15ceaa51863c1b0c26fd6c31c51a76916174410eb077cde6f

(this sample)

  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment

Comments