MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1692d2697b4be8b7d1c28b44c6e73ae3c176193055492f10e0fa53b677f85bde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1692d2697b4be8b7d1c28b44c6e73ae3c176193055492f10e0fa53b677f85bde
SHA3-384 hash: 3c7a6e2d65302a6329bd528486e22def13e3dc8737c50a0363d062c6136c49d36d432759051848d363868c32fff3871f
SHA1 hash: 65a796cf6ef6aedcd84bb8e29da0a29a1c5fef97
MD5 hash: cbe29767866146cbbb17547adc2e9e5f
humanhash: friend-ceiling-rugby-william
File name:40c31f8937bc983f0c63c3585541221e.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:207'872 bytes
First seen:2020-03-30 12:55:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:MzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIEyP+1Nda82N+xdkv9iRLGeQL5:MLV6Bta6dtJmakIM5ykAgNpw
Threatray 1'372 similar samples on MalwareBazaar
TLSH 1B14CF267BF98A2FE2DE86B9611212028379C2E399C3F3DE18D455B74F267E506071D3
Reporter abuse_ch
Tags:exe GuLoader NanoCore


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1ibH6OoMyQlpx8xYmf_0B5-mmw32JNFN2

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Nanocore-5
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Nanocore
Create hunting rule
Status:
Malicious
First seen:
2020-03-30 13:35:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
31 of 31 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c2jne2l3jpulpuocrncmnzz24paxmgjqkves6eha7jj3m57ylppa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
15d88e59e80b15ed7b24ffd1a496ff718b76a6a7d06cc2be0d1f91e460871c12
NanoCore
49ad0ed3bf58f6bec614955067d2a6ae9a19825412ed6f6e851973d5d809293f
NanoCore
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
NanoCore
7cdf1294eb40f2a207f55cbb1a68761135500f64bb077a7f4ba9a7d3098850f1
NanoCore
9c62e75f2dc168671bddfe8cad2b102197c10d9039d8917a7637585ff603dbdd
NanoCore
9fc240db7a0cd883c35e2cbfc6e8dcb2bb3921514dbce65aef46711de4a06a6a
NanoCore
c4f0b3610d084b670fbcd8d5405153b208907ac348a190df4cfa41b1dc4f029c
NanoCore
d11f8cd2987a718cc9d0bd9de289ee8d90555115cb9d03fdc8f0b930898e4a75
NanoCore
e29e9d9beb5ce8187decf038cdc0b1d3102b4cfe43715a3b4f934098a943ebed
NanoCore
e41e433626e9dbf6c3a56c29c9dc60adfa53f71cd1c3bc10d682a1b2239c576d
NanoCore
+ 1'362 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

f765ba2d7d5008f51964bc8184e42c4045c59c737379c77969d4e2c1fe660333

NanoCore

Executable exe 1692d2697b4be8b7d1c28b44c6e73ae3c176193055492f10e0fa53b677f85bde

(this sample)

  
Dropped by
MD5 40c31f8937bc983f0c63c3585541221e
  
Dropped by
MD5 dfa4d1eeb492e59e1a496a005778d12e
  
Dropped by
GuLoader
  
Dropped by
SHA256 f765ba2d7d5008f51964bc8184e42c4045c59c737379c77969d4e2c1fe660333
  
Dropped by
SHA256 6e55bda2178c291d598fb1eecefd39dfb61057d89f28eb918f7bce85c485f784
  
URLhaus
https://urlhaus.abuse.ch/url/332174/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments