MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1f3590b016f4acb4444ecc1bad024de7b3004a2379f72f3e5bfb66e09c8322d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1f3590b016f4acb4444ecc1bad024de7b3004a2379f72f3e5bfb66e09c8322d
SHA3-384 hash: 29085d27532071f0604d899bae68dc7e974f86095bdf4fed201920f4a7e75cb3dc6cccac826c4d7be00106b7b08a9196
SHA1 hash: 5f31aa9cf8d526098e9d401e4a28c2019cbbdd30
MD5 hash: 99d818899e29350fc8424d8a9b657c15
humanhash: mobile-rugby-shade-helium
File name:Receipt.img
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'769'472 bytes
First seen:2020-10-09 15:44:02 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 12288:sql8c6mXPyVyqq36uGz3OccXOAKUQJAai5PCwsGMktHw6QgWlVAuVgVMBP35lo2Y:7l8c6nyqeVo3OZXvfQJAaqCb6
TLSH 4C855A983240B59EC597E8328F54DC74A7507C6A870BC213B0E73E9FBABC5979E141B2
Reporter abuse_ch
Tags:FedEx img NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: mail.motonina.ml
Sending IP: 45.147.162.146
From: FedEx Express. <admin@motonina.ml>
Subject: Parcel pickup
Attachment: Receipt.img (contains "Receipt.exe")

NanoCore RAT C2:
u852117.nvpn.to:5638 (185.244.30.163)

Hosted on nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-HU
country: HU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-10-07T21:39:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1f3590b016f4acb4444ecc1bad024de7b3004a2379f72f3e5bfb66e09c8322d/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 12:30:47 UTC
AV detection:
12 of 48 (25.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhzvscybn5fmwrce5ta3vube3z5tabfcg6pxf47fx63g4coigiwq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1f3590b016f4acb4444ecc1bad024de7b3004a2379f72f3e5bfb66e09c8322d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img c1f3590b016f4acb4444ecc1bad024de7b3004a2379f72f3e5bfb66e09c8322d

(this sample)

NanoCore

Executable exe 8551c05301b50a17763637cca7f291a6b779c82f16275f734e793f6a0e7e1a17

  
Dropping
MD5 f78c482e3e245d5c735d29d9b215e034
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 8551c05301b50a17763637cca7f291a6b779c82f16275f734e793f6a0e7e1a17

Comments