MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 deba289b0b2f8bedfbfe4b4013b286e3ccb0d5856aeec6302e8a1289fe4b4c4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: deba289b0b2f8bedfbfe4b4013b286e3ccb0d5856aeec6302e8a1289fe4b4c4c
SHA3-384 hash: 111c16fae6d4db5b822aaffd65dd0d05ff31ddbfd66de1ab8f0636b200745bfef285ac0533878224fcb7196fa513e9e7
SHA1 hash: 15981cbd2a48ee9f2283bb9653320d3b9bf9179f
MD5 hash: f5e9483c54dd73269c093fdfb05ed742
humanhash: muppet-skylark-hot-mike
File name:Purchase Order 4.gz
Download: download sample
Signature NanoCore
Create hunting rule
File size:871'259 bytes
First seen:2020-05-13 16:38:33 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 24576:5ur74UBCM0KhFnBI/DVay+jnZ3AwdREG/oS:coq3TzCrVayKAGx
TLSH F40533BE63E6F191D44C8B16925B247DC529232A71E2D33AF72AA2C35847983C01CFD7
Reporter abuse_ch
Tags:gz NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

From: "ADIMIN" <phplist@easynet.es>
Reply-To: purchase.department@my.com
Subject: PURCHASE ORDER
Attachment: Purchase Order 4.gz (contains "Purchase Order (4).exe")

NanoCore RAT C2:
91.193.75.46:1985

Hosted on nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
descr: We ask all employees of Spamhaus and all self-proclaimed deputy sheriffs
descr: to stop your attacks against us.
country: EU
admin-c: KA7109-RIPE
tech-c: KA7109-RIPE
org: ORG-KHd1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: KGB-MNT
mnt-routes: KGB-MNT
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2019-12-05T05:39:00Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 17:36:41 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
15 of 31 (48.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=325crgylf6f63676jnabhmug4pglbvmfnlxmmmborijit7sljrga._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

gz deba289b0b2f8bedfbfe4b4013b286e3ccb0d5856aeec6302e8a1289fe4b4c4c

(this sample)

NanoCore

Executable exe ad0fbe6d8f278dac33ae5ffa7168aadbcfbf82b04fb6b3d443aa4157fa1149b1

  
Dropping
MD5 afe4fb4f0ffe411129a6826076b25dec
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 ad0fbe6d8f278dac33ae5ffa7168aadbcfbf82b04fb6b3d443aa4157fa1149b1

Comments