MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d64f3fe86ab044dbdf24676d567b7b22934f789624b5381350d7811130897bc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d64f3fe86ab044dbdf24676d567b7b22934f789624b5381350d7811130897bc2
SHA3-384 hash: 61704ec863df3b8cc8bd3c4ae2e86ff8bcea277b262230d99290090aa3667392746f2fde0b15746aede7b418851fb11b
SHA1 hash: b193ff17824e5735a88e106c22889f37aaefdb90
MD5 hash: 05cd9204d4a720268a67e7c069f592e7
humanhash: asparagus-maryland-mexico-blossom
File name:New Order.gz
Download: download sample
Signature NanoCore
Create hunting rule
File size:405'891 bytes
First seen:2020-07-29 06:55:20 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 6144:EGRnjmocQFI2zHLRpevoQv4O7uvBrRR4NllqHgxbXsDbN46/XKrl8mL1YhF:EKm1CIsLASiuvBrXolKgxwbazrKmp0
TLSH 268423FB25F8418A391D8D6E634FC8B056222BB274F96D7EF4F148947B509AB800EF15
Reporter abuse_ch
Tags:gz NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: fdx.co.th
Sending IP: 95.211.211.232
From: Cee Purchasing Department <cee@fdx.co.th>
Subject: New Order
Attachment: New Order.gz (contains "New Order.exe")

NanoCore RAT C2:
79.134.225.121:7583

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.20789.RarHeur.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d64f3fe86ab044dbdf24676d567b7b22934f789624b5381350d7811130897bc2/
Threat name:
Win32.Trojan.DataStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 01:46:00 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zht72dkwbcnxxzem5wvm633ekju66ewes2tqe2q26arcmejppba._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/d64f3fe86ab044dbdf24676d567b7b22934f789624b5381350d7811130897bc2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

gz d64f3fe86ab044dbdf24676d567b7b22934f789624b5381350d7811130897bc2

(this sample)

NanoCore

Executable exe da8f7980c887ac05dd4c2e53c50c17bebe208be1758d6b7879144efb53d5a963

  
Dropping
MD5 852ecb84ca7a03733a9f0d91e4943dc5
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 da8f7980c887ac05dd4c2e53c50c17bebe208be1758d6b7879144efb53d5a963

Comments