Severity

Medium

Analysis Summary

A new wave of malicious emails is seen dropping attachments leading to NanoCore RAT infection. The campaign uses an invoice themed email subject. Multiple Indicators of compromise have been retrieved and are given below.

Impact

Nanocore RAT infection

Indicators of Compromise

IP(s)/ Hostnames

• 185.165.153[.]237
• 92.222.72[.]160
• 185.244.29[.]85
• 213.183.58[.]30
• 185.234.216[.]76
• 77.235.58[.]150

URLs

• kingdevil.ddns[.]net
• iguazuargentina[.]com
• tecklink.publicvm[.]com

Filename

• invoice#003.img -> invoice#003.exe
• Fedex Receipt.img

Email Address

• info[@]verpleeghuisevie[.]sr
• teddybanks454[@]yahoo[.]com
• sales[@]flexpress[.]com

Email Subject

Overdue Invoice

Malware Hash (MD5/SHA1/SH256)

• 0db20042e4b5c0f048001b8b62b13bf9
• 997fb515527aba0f5b0beab95661f48b4329077e
• 886338ebc04e728338874b07365d4fd337998e1786893b680065358e815a6d02
• 208cd564304ef7fe98a0c3da095fec3b
• 00199f1675ca431351cad7193bf60859ce8c238b
• b3aef0e1d7a71edbc858a81e66f354be1974aafdd4449f2972e4dae1c82f2b8a
• 0be479263ede63dc6af79ffc5fce3ee3
• aa10739682d2f507665263ac7051a6adfc7345d8
• c75501c8e5e64c7a532ab5cd313cec069dd16a77ac2a2d928f7474e145cce0c0
• cd84d022a297ff56c49028f1903ec277
• 63d5df1e79a209d8f81ddfd4d70b273c5b46b881
• 859ca7653dd6637a0bd815d414531c49e09b540a5ba48314da83d8c3dae17659

Remediation

• Block the threat indicators at their respective controls
• Never click on links/ attachments sent by unknown senders.