MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5658b5126e72d08d0459509eb05c1564d2b844dae92d5fafc7c85a733abc67c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5658b5126e72d08d0459509eb05c1564d2b844dae92d5fafc7c85a733abc67c
SHA3-384 hash: c53e0c344aca9fd47fb418784ccf9eebc5ade8b66804fac8791c6f29707fba715b23912008e7b8bca0a629a4c5428fc5
SHA1 hash: 062d8a776d4020b30efdee67401dfc2aa939ac87
MD5 hash: 1db902082dd311548621b8d6577a4fb3
humanhash: pennsylvania-kentucky-romeo-magnesium
File name:1217_07_06_20_REF2.pdf.zip
Download: download sample
Signature NanoCore
Create hunting rule
File size:492'761 bytes
First seen:2020-07-06 06:30:33 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:YHkh8Vzk4E9lPrPkry0+FvvoXO6ByRruc6UaWqkAt:DhqkR9lPrPk3KvoXrW6U8
TLSH E7A423D9D9A0A341A839936D64236C8727F43FC4298B9E46A4F4CB7054F177E8EE701E
Reporter abuse_ch
Tags:NanoCore nVpn RAT zip


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: yahoo.co.in
Sending IP: 45.143.222.165
From: Andy <multimarmer@yahoo.com>
Subject: Re:STATEMENT OF ACCOUNT
Attachment: 1217_07_06_20_REF2.pdf.zip (contains "1217_07_06_20_REF2.exe")

NanoCore RAT C2:
wazzy.ddns.net:1716 (194.5.99.24)

Pointing to nVpn:

% Information related to '194.5.99.0 - 194.5.99.255'

% Abuse contact for '194.5.99.0 - 194.5.99.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.99.0 - 194.5.99.255
netname: INTER_CLOUD_SERVICES_RUSSIA
admin-c: ICTR1-RIPE
tech-c: ICTR1-RIPE
org: ORG-ICR2-RIPE
country: RU
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-07-20T20:42:53Z
last-modified: 2020-07-04T13:20:18Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5658b5126e72d08d0459509eb05c1564d2b844dae92d5fafc7c85a733abc67c/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 06:32:04 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vsywujg44wqrucfsue6wbobkzgsxbcnv2jnl6x4psc2om5lyz6a._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

zip f5658b5126e72d08d0459509eb05c1564d2b844dae92d5fafc7c85a733abc67c

(this sample)

NanoCore

Executable exe fd889953ad0e22f6fb8601866cf6d12b1a4d3027e2e885836510a503a2892b7d

  
Dropping
MD5 0ed0171e991e66378a7283c6d30042a0
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 fd889953ad0e22f6fb8601866cf6d12b1a4d3027e2e885836510a503a2892b7d

Comments