MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e61a0fe7fdb4056f029ea4073036bcaf9a27aaba37549da392ca1c44ad87b646. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e61a0fe7fdb4056f029ea4073036bcaf9a27aaba37549da392ca1c44ad87b646
SHA3-384 hash: b4a9649b0d772ad3f8f6cb3aa4887f42710b30ae56d126722504dbc3f497b1f30a03120695c7c92973ffb99dc55e36c2
SHA1 hash: a777f1356faa42739f655da425f0794e750f53ac
MD5 hash: 39bbb99f32870a0c96e2edcf783f6acf
humanhash: earth-colorado-virginia-ten
File name:factura.r11
Download: download sample
Signature NanoCore
Create hunting rule
File size:453'071 bytes
First seen:2020-07-21 16:19:15 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:uAVzaYWQAO7OqsTpiagoLyXn2ZXwiT6Siyeh17t:RdLR7ORp0o3ugY17t
TLSH 77A4235E5FE12E3650BBF9B3ED29905C8B9418D3435B28469326FC80A8D8B474EE7F11
Reporter abuse_ch
Tags:ESP geo NanoCore nVpn r11 RAT Santander


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: vps.uncethsa.com
Sending IP: 45.95.170.154
From: Paula Gonzalez <info@uncethsa.com>
Subject: Re: Santander - Transferir seu favor, por Telecrédito
Attachment: factura.r11 (contains "factura.exe")

NanoCore RAT C2:
tgfhgfd.casacam.net:6331 (185.165.153.8)

Pointing to nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-AT2
country: AT
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-14T13:31:45Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e61a0fe7fdb4056f029ea4073036bcaf9a27aaba37549da392ca1c44ad87b646/
Threat name:
ByteCode-MSIL.Trojan.MassLogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 16:21:05 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4yna7z75wqcw6au6uqdtanv4v6ncpkv2g5kj3i4szioejlmhwzda._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e61a0fe7fdb4056f029ea4073036bcaf9a27aaba37549da392ca1c44ad87b646

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

rar e61a0fe7fdb4056f029ea4073036bcaf9a27aaba37549da392ca1c44ad87b646

(this sample)

NanoCore

Executable exe b8e2713744ae4bf75f6f051a88fd7cd88aa5a9d0e5707932b44a5fb47dd73057

  
Dropping
MD5 02ba4b1f147403d1713d7cea04069775
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b8e2713744ae4bf75f6f051a88fd7cd88aa5a9d0e5707932b44a5fb47dd73057

Comments