MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c91d163d1956328bc15bc44ab57f8f473f97937dea1360b696ebc23d5a30c1c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: c91d163d1956328bc15bc44ab57f8f473f97937dea1360b696ebc23d5a30c1c5
SHA3-384 hash: 77cdc0101de3f9537ed1c136394b61f86e7e1d06dfc162fccfdd3ac2addbd08fbbebf803759c88a620dcf719863001d5
SHA1 hash: a856ed8364b4a807a12296be854289dddf785a8f
MD5 hash: 774d06d4ae1b55c173a8ca99fad177c6
humanhash: arkansas-black-jersey-vermont
File name:IePZajh9fm9DACV.iso
Download: download sample
Signature NanoCore
File size:432'128 bytes
First seen:2020-06-30 05:27:26 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 6144:U4u8Lx5ggJec3PZEemlbtPsuh2eOBlf1J9ZcDCVmUoWlIxfT9Tl:U4u8d5gKec/ZVmZVV2e2vCWVTHo
TLSH D494E018362D6837CEA805F64482654007F6A1A235A3F3D97DCDB0E827D7BDD1E12BA7
Reporter @abuse_ch
Tags:iso NanoCore nVpn RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: p3plwbeout14-06.prod.phx3.secureserver.net
Sending IP: 173.201.192.192
From: Gordon O'brien <Gordon.Obrien@g-obrien.co.uk>
Reply-To: Gordon O'brien <markhilton@blueyonder.co.uk>
Subject: L65190MH2004GOI148838
Attachment: IePZajh9fm9DACV.iso (contains "IePZajh9fm9DACV.exe")

NanoCore RAT C2:
u870797.nvpn.to:3119 (185.244.29.158)

Pointing to nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
34
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-06-30 05:29:04 UTC
AV detection:
23 of 48 (47.92%)
Threat level
  5/5

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

iso c91d163d1956328bc15bc44ab57f8f473f97937dea1360b696ebc23d5a30c1c5

(this sample)

  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment

Comments