MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b56d3671a079bf1ebc167aaf6dd7538ee6e76d3ac1bc44133235f0c5e9ae26ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b56d3671a079bf1ebc167aaf6dd7538ee6e76d3ac1bc44133235f0c5e9ae26ee
SHA3-384 hash: 11c6e859ddbad646407c7389239527a7140ecda17b7b9a4e4a019a838201e80a168bae064da5515fe3465bc81906d105
SHA1 hash: a0f2a54a5ce75d779d683fac322c21581e2dc168
MD5 hash: 0efdbf9c3361fcf067886ee6ffdc5978
humanhash: uniform-blue-london-rugby
File name:PROOF OF PAYMENT.IMG
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'638'400 bytes
First seen:2020-11-07 10:09:43 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 24576:m2/JXyxL4HEZlPgULQqZyyVPL4juutoEjsfC:R/uL4k/LdxPn81jw
TLSH 8E75AEF97241E69FC80F443FF84B2C619394DB2E96EA814752C7B11D137C6CE9A680DA
Reporter abuse_ch
Tags:img NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: smg4.telkomsa.net
Sending IP: 105.187.200.242
From: Anthony Peterson <mail53266@telkomsa.net>
Reply-To: Anthony Peterson <anthonypterson@mail2world.com>
Subject: Proof Of Payment
Attachment: PROOF OF PAYMENT.IMG (contains "PROOF OF PAYMENT.exe")

NanoCore RAT C2:
amechi.duckdns.org:3190 (79.134.225.69)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Bulz.190499.23489.24621.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b56d3671a079bf1ebc167aaf6dd7538ee6e76d3ac1bc44133235f0c5e9ae26ee/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-11-07 06:12:27 UTC
AV detection:
13 of 48 (27.08%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wvwtm4napg7r5pawpkxw3v2tr3too3j2yg6eiezsgxyml2noe3xa._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img b56d3671a079bf1ebc167aaf6dd7538ee6e76d3ac1bc44133235f0c5e9ae26ee

(this sample)

NanoCore

Executable exe dcd49164183272088d635cfedfb13caba79357c224bcba1bce288c26093200c2

  
Dropping
MD5 c740481d0f8d93350791bd77a554c1a6
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 dcd49164183272088d635cfedfb13caba79357c224bcba1bce288c26093200c2

Comments