MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d159288c73518d2d4e79a7d6b6bd233f264ef4e5e618c92521023b2546d7674a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d159288c73518d2d4e79a7d6b6bd233f264ef4e5e618c92521023b2546d7674a
SHA3-384 hash: 00e3fdb48da803b12027dcca82d01469f1615432a14e305413492588b79b8efcee1d1ba7824d4fa70f9eb99a7175b7b4
SHA1 hash: c30da4cc21047b4207b4b33b7cb07f11d1e00344
MD5 hash: 8f55b52729c4d18bbc66cdd397f5aed3
humanhash: pennsylvania-fruit-johnny-maine
File name:POEA ADVISORY NO. 61- 2020.lzh
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'031'120 bytes
First seen:2020-06-08 05:58:56 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 24576:CkR3JpeTFq2YoozeyuObDTYr1JzQqm4TiitjEe:/RfOqyozeyRyGNziye
TLSH 642533937934F44B84F12ADA1FB6B6249F244E763752F3831F116839568DF004DA2E9E
Reporter abuse_ch
Tags:lzh NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: dedicated73.tchmachines.com
Sending IP: 208.76.83.32
From: Philippine Overseas Employment Administration <info1@poea.gov.ph>
Subject: POEA MEMORANDUM NO. 60-2020.SECOND REMINDER....
Attachment: POEA ADVISORY NO. 61- 2020.lzh (contains "POEA ADVISORY NO. 61- 2020.PDF.exe")

NanoCore RAT C2:
aashkanani22.casacam.net:54985 (79.134.225.73)
aashkanani22.ddns.net:54985 (79.134.225.73)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 06:00:07 UTC
AV detection:
17 of 30 (56.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2fmsrddtkggs2ttzu7llnpjdh4te55hf4ymmsjjbai5skrwxm5fa._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar d159288c73518d2d4e79a7d6b6bd233f264ef4e5e618c92521023b2546d7674a

(this sample)

NanoCore

Executable exe 7caf2e20a5d049ccf8aa3935fd8517e77d5e7e7e0322ceca894b9baad970aca2

  
Dropping
MD5 96d09e47557b81cf64f3311326a37638
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 7caf2e20a5d049ccf8aa3935fd8517e77d5e7e7e0322ceca894b9baad970aca2

Comments