MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0eda326c434151194985647835bd82ead40104bb7c210e7721868b280c74c23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0eda326c434151194985647835bd82ead40104bb7c210e7721868b280c74c23
SHA3-384 hash: 698defc8121290a25293158e297a7bf4b68abfaa7f5c081b7f3f35195f9d7f8d3b1b9a5d05a2355c66e83a70e0ef82c9
SHA1 hash: c23d208ebe7b3a40c94b46451678ee29539c62fd
MD5 hash: 0ebcaaa08ba99fa147c48ff3576481e1
humanhash: london-diet-don-neptune
File name:UNPAID BILLING INVOICE APRIL 2020.LZH
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'010'538 bytes
First seen:2020-06-11 05:43:45 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 24576:6kREFJos2jOlIHnbTDEBW6twK623tuVUfj1qf:3RCWHbTYMVF230VSj1Y
TLSH 9F2533FA3272D82554E8649D19382D642F68020FD6F5F0D2A76488362BC2F3CD66DB7D
Reporter abuse_ch
Tags:lzh NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: gmmgroupasia.wsiph2.com
Sending IP: 173.230.147.68
From: Account <account1@dimensionallgroup.com>
Subject: Fwd: BILLING INVOICE MAY 2020
Attachment: UNPAID BILLING INVOICE APRIL 2020.LZH (contains "UNPAID BILLING INVOICE APRIL 2020.PDF.exe")

NanoCore RAT C2:
aashkanani22.casacam.net:54985 (79.134.225.73)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Script-AutoIt.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-06-11 05:45:08 UTC
AV detection:
18 of 31 (58.06%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4dw2gjwegqkrdfeykzdygw6yf2wuaeclw7bbbz3sdbulfaghjqrq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar e0eda326c434151194985647835bd82ead40104bb7c210e7721868b280c74c23

(this sample)

NanoCore

Executable exe a94d174668553fbeb3c27e3194f9cef33d0d24ca56891658911bfdd7451ae9f8

  
Dropping
MD5 2c51d508e952e74dff3622fce3067988
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a94d174668553fbeb3c27e3194f9cef33d0d24ca56891658911bfdd7451ae9f8

Comments