MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9afdcf267dabab078ddf414955ccee9cb5e5cc66a5cfbf66896cd5f9c7db2abe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9afdcf267dabab078ddf414955ccee9cb5e5cc66a5cfbf66896cd5f9c7db2abe
SHA3-384 hash: 5c31ab9ee0392d08b6d27ed5a391c9380fd5bc9c841d3ffc21125c4a2f18b808aefc28751e532241a0a3568c54d55f62
SHA1 hash: 544fe28eacd040e86e68f6387671470034a686c6
MD5 hash: 3eb98e6d2947a758a72d4a25156c6562
humanhash: white-pluto-floor-failed
File name:ÖDEME_29-07-2020.r11
Download: download sample
Signature NanoCore
Create hunting rule
File size:562'254 bytes
First seen:2020-07-30 06:38:11 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:kdfVT9qM9tH/0m/ipFAEeyjbeUs3bAvz79mhNl9w6e7u2If:ODqY1smzEe2Vvz792E7pIf
TLSH 85C4237FFA800DE1A92654F80386F00BAD27BD39745A7A481424FA5348D5627FE6327B
Reporter abuse_ch
Tags:geo NanoCore nVpn r11 RAT TUR


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: vps.uncethsa.com
Sending IP: 45.95.170.154
From: Furkan Dogan <info@uncethsa.com>
Subject: Re: ÖDEME TRANSFERİ
Attachment: ÖDEME_29-07-2020.r11 (contains "ÖDEME_29-07-2020.exe")

NanoCore RAT C2:
tgfhgfd.casacam.net:6331 (194.5.97.25)

Pointing to nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.97.0 - 194.5.97.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU5
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: SUB-ALLOCATED PA
mnt-by: PRIVACYFIRST-MNT
created: 2018-07-23T09:31:45Z
last-modified: 2020-07-30T03:48:40Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9afdcf267dabab078ddf414955ccee9cb5e5cc66a5cfbf66896cd5f9c7db2abe/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-30 06:40:07 UTC
AV detection:
19 of 48 (39.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tl646jt5vovqpdo7ifevlthots26ltdguxh36zujntk7tr63fk7a._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9afdcf267dabab078ddf414955ccee9cb5e5cc66a5cfbf66896cd5f9c7db2abe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar 9afdcf267dabab078ddf414955ccee9cb5e5cc66a5cfbf66896cd5f9c7db2abe

(this sample)

NanoCore

Executable exe f80127513813eeb1bc2dd4aa089ad41c4bf9eb6cfdbd4aaf8490486d3eeca613

  
Dropping
MD5 d65504a5871f3d2cfc6bc19b27741898
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f80127513813eeb1bc2dd4aa089ad41c4bf9eb6cfdbd4aaf8490486d3eeca613

Comments