MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec9d801b120855fe926902234e77c60d5a0c8a115a977fe49e6b6b1539e0db51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 1 File information 1 Yara 6 Comments

SHA256 hash: ec9d801b120855fe926902234e77c60d5a0c8a115a977fe49e6b6b1539e0db51
SHA1 hash: fa1a5428131733ca8f37a77a7ee768e0d47dc9db
MD5 hash: 8820d5920c860ab6a803bb8871e5d462
File name:Order_210520.doc
Download: download sample
Signature NanoCore
File size:61'952 bytes
First seen:2020-05-23 11:20:56 UTC
Last seen:2020-05-23 11:46:44 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 1536:DiA1srwvdOW/GyP0F6CWy6YcRkeQISyD:G/rTO0F6
TLSH F25318017686CD47E6A269F08DE6DBAAF2FAFC4E5D8AD30736003B1E7D7D6694611300
Reporter @abuse_ch
Tags:doc NanoCore nVpn RAT


Twitter
@abuse_ch
Malspam distributing NanoCore:

HELO: whm1.empyrion.net
Sending IP: 67.227.189.9
From: John Holley <info@treetome.ca>
Reply-To: prepre080@vivaldi.net
Subject: RESENDING: Quotation Needed
Attachment: Order_210520.doc

NanoCore RAT payload URL:
http://bucofaringeo.com/xx01.exe

NanoCore RAT C2s:
bright1.awsmppl.com:4777 (79.134.225.89)
gold080.ooguy.com:4777 (79.134.225.89)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 2
# of downloads 20
Origin country FR FR
ClamAV MiscreantPunch.EvilMacro.AODBWSRBMS.UNOFFICIAL
MiscreantPunch.EvilMacro.DL.170224.UNOFFICIAL
VirusTotal:Virustotal results 42.62%

Yara Signatures


Rule name:ach_NanoCore
Author:abuse.ch
Rule name:Nanocore
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:win_nanocore_w0
Author: Kevin Breen <kevin@techanarchy.net>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Word file doc ec9d801b120855fe926902234e77c60d5a0c8a115a977fe49e6b6b1539e0db51

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments