MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f909bce44029282aa398571bc06fa8c4c57f4e0ed6087459bb868cdd08ed1523. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f909bce44029282aa398571bc06fa8c4c57f4e0ed6087459bb868cdd08ed1523
SHA3-384 hash: ac5debeb7d8c3a24f8e7177898d27b0cf52ec31353afc0f0e13927ecca39583cc08094f7488f7ecc2496a632c3101496
SHA1 hash: 915fbaae6523102e700d385ea6ef72ec202cc56d
MD5 hash: d925c85e7cf4c0e9d4373f2b0821c2b8
humanhash: seventeen-purple-arkansas-salami
File name:Lists of enquiry.img
Download: download sample
Signature NanoCore
Create hunting rule
File size:1'245'184 bytes
First seen:2020-05-14 16:18:12 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 6144:tN/o5Y4ba2OrYBsC9/fPzbjl29tMR35xX2ICz:tNwQ2RDfHjIS2xz
TLSH 9845DF447F48911EE65EA1B6F7A28E034725AD834903DB3771DCB2661FBE3E4C761A02
Reporter abuse_ch
Tags:img NanoCore nVpn RAT


Avatar
abuse_ch
Malspam distributing NanoCore:

HELO: mx-ace-1.centraloeste.com
Sending IP: 181.30.25.139
From: Mary Campbell <laura.aveni@centraloeste.com.ar>
Subject: Enquiry
Attachment: Lists of enquiry.img (contains "Lists of enquiry.exe")

NanoCore RAT C2:
u852121.nvpn.so:3410 (91.192.100.17)

Pointing to nVpn:

% Information related to '91.192.100.1 - 91.192.100.63'

% Abuse contact for '91.192.100.1 - 91.192.100.63' is 'abuse@libertas-international.eu'

inetnum: 91.192.100.1 - 91.192.100.63
netname: LIBERTAS_NETWORK
remarks: ----------------------------------------------
remarks: Libertas Network is a VPN service provider.
remarks: We have a strict non-logging policy, therefore
remarks: we don't record any logs on our servers.
remarks: ----------------------------------------------
country: CH
admin-c: LNAD1-RIPE
org: ORG-LNVS1-RIPE
tech-c: LNAD1-RIPE
status: ASSIGNED PA
mnt-by: MNT-DA327
created: 2019-12-12T08:51:11Z
last-modified: 2020-02-10T07:01:46Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Razy.627498.7628.22446.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-14 16:35:51 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
18 of 48 (37.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ee3zzcafeucvi4yk4n4a35iytcx6tqo2yehiwn3q2gn2chncurq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

img f909bce44029282aa398571bc06fa8c4c57f4e0ed6087459bb868cdd08ed1523

(this sample)

NanoCore

Executable exe 36ac5bec6993086917f960048af37ef846dcfe5042aeb7c0bf519ae060d0ea90

  
Dropping
MD5 549ad31350fca1a206d626f479bf23f6
  
Dropping
NanoCore
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 36ac5bec6993086917f960048af37ef846dcfe5042aeb7c0bf519ae060d0ea90

Comments