MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18ae332a0ab3c520557c6d6f44ec4d014e2b13eed51e534ad504e6015e1eec22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18ae332a0ab3c520557c6d6f44ec4d014e2b13eed51e534ad504e6015e1eec22
SHA3-384 hash: ff076ad8f7007d8dd7b40a693e43644c753cb1b7f99eef5335a96c4817842ee9d497631749beecad17e60d4037838a5d
SHA1 hash: e8409c63b14eb475319ab272416c7db7004fe2e4
MD5 hash: 3051be0c0256c98675c4fd9ba21f8f18
humanhash: whiskey-south-florida-red
File name:ef1669a3a72bfc0d68808cecf4114615.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:207'872 bytes
First seen:2020-04-05 07:32:05 UTC
Last seen:2020-04-08 12:35:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI3eb8Wd2H2hdHZVLdkjY:sLV6Bta6dtJmakIM5PfTzHTLajY
Threatray 1'105 similar samples on MalwareBazaar
TLSH 7314CF267BA88A2FE2DE857D611242139379C2E3D9C3F3DE18D465B68F663E106071D3
Reporter abuse_ch
Tags:exe GuLoader NanoCore


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://onedrive.live.com/download?cid=8191351450372B91&resid=8191351450372B91%21288&authkey=AJhDPfJmz4mSrPM

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Nanocore-5
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Nanocore
Create hunting rule
Status:
Malicious
First seen:
2020-04-05 07:35:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
30 of 30 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dcxdgkqkwpcsavl4nvxuj3cnafhcwe7o2upfgswvattacxq65qra._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
dridex
Create hunting rule
Similar samples:
38814f6587d098be00d461dae2dfeb01b50e2a697d86bfc02e334024133bfed8
NanoCore
49ad0ed3bf58f6bec614955067d2a6ae9a19825412ed6f6e851973d5d809293f
NanoCore
662f115f07c983b7c060eb8a98b4dfa8951df8f3149e71523d2de7ee97d9139e
NanoCore
6eb10ca3e8026756f417b8e04510f768c28175817c73be8f21514dfb186d687f
NanoCore
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
NanoCore
8bb9b00853b7ad74a9e4c41b8974ab369d16e6289c9e9e933be5fe56539af2b1
NanoCore
9c62e75f2dc168671bddfe8cad2b102197c10d9039d8917a7637585ff603dbdd
NanoCore
9ca497f6231180ec374837cf77e099a25e8c5cffa16c6599739c92ee03a94d34
NanoCore
9fc240db7a0cd883c35e2cbfc6e8dcb2bb3921514dbce65aef46711de4a06a6a
NanoCore
e29e9d9beb5ce8187decf038cdc0b1d3102b4cfe43715a3b4f934098a943ebed
NanoCore
+ 1'095 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

abaca4be56cd0319e77c960adc495db3be339531c30aae267ff25b70f03038f1

NanoCore

Executable exe 18ae332a0ab3c520557c6d6f44ec4d014e2b13eed51e534ad504e6015e1eec22

(this sample)

  
Dropped by
MD5 ef1669a3a72bfc0d68808cecf4114615
  
Dropped by
MD5 7153649a1187067eeab1d7f0713be343
  
Dropped by
GuLoader
  
Dropped by
SHA256 abaca4be56cd0319e77c960adc495db3be339531c30aae267ff25b70f03038f1
  
Dropped by
SHA256 91b96d10cef1aed29362b2f9d5f23d7dcd3c1067d7b8e2f6f8b734587ca369a7
  
URLhaus
https://urlhaus.abuse.ch/url/335155/
  
URLhaus
https://urlhaus.abuse.ch/url/335553/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments