MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21f8a725171c1d96d00ee966f36fd37f19da119510287a5c5301868b6cabe69a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21f8a725171c1d96d00ee966f36fd37f19da119510287a5c5301868b6cabe69a
SHA3-384 hash: 1122617dac39a11cb34d5854d1d367d1cd1497d771b80c808b9d3f3e2d42aeaab8fc275d6b2c08e9a89f1e976335f98d
SHA1 hash: 0cf75744ec960ecbd39c6a5c71c9f934de3e05d7
MD5 hash: ffbbd29c9672b8c829d45bf92f1d501e
humanhash: tennessee-idaho-happy-two
File name:91ff60143b86b6e8708c3ac08588d837.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:207'872 bytes
First seen:2020-04-05 07:38:38 UTC
Last seen:2020-04-08 12:44:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:MLV6Bta6dtJmakIM5Xn/kAflqT1une7R0s1eI:MLV6Btpmkg/FU5eI
Threatray 1'096 similar samples on MalwareBazaar
TLSH 9914CF6637A88A2FE2CE86B9711251129378C2E79CC3F3EE18D455B78B627E507071D3
Reporter abuse_ch
Tags:exe GuLoader NanoCore


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://onedrive.live.com/download?cid=DDE26285195864B8&resid=DDE26285195864B8%21379&authkey=AI9JeFVwfv5qi4M

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Nanocore-5
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Nanocore
Create hunting rule
Status:
Malicious
First seen:
2020-04-05 08:35:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
31 of 31 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eh4kojixdqoznuao5ftpg36tp4m5uemvcauhuxctagdiw3fl42na._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
2122f46b7744ea7cabea57095f4cdcbcdcf176232cfae669e7119c5bd607bf53
NanoCore
266c0f3b1cf78040080fce2037544112b77d23b25753c714d6390c2f705a3c34
NanoCore
5d37ea9d96ae208d4df3961643780b97016cf055128483ae287ad86616cbea45
NanoCore
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
NanoCore
83b70b20d0cdb13e9c420723ba5f025827d21e0c051c6e64b5553a5c372c3374
NanoCore
9c62e75f2dc168671bddfe8cad2b102197c10d9039d8917a7637585ff603dbdd
NanoCore
9fc240db7a0cd883c35e2cbfc6e8dcb2bb3921514dbce65aef46711de4a06a6a
NanoCore
ddf157853be3dbebba9eea0db9815017a0c7d8dded210a5c291d7b0ccd2fd2be
NanoCore
e29e9d9beb5ce8187decf038cdc0b1d3102b4cfe43715a3b4f934098a943ebed
NanoCore
ed6ea055c622adab41b5eba73b4d556c4c843b9e77e21933297ca0ce972ce5c4
NanoCore
+ 1'086 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

cba55f555e37d682c6caca3f32f9aa8edda0215df7ab09a89b3e521b7f366237

NanoCore

Executable exe 21f8a725171c1d96d00ee966f36fd37f19da119510287a5c5301868b6cabe69a

(this sample)

  
Dropped by
MD5 91ff60143b86b6e8708c3ac08588d837
  
Dropped by
MD5 1220dff4bbb223726fe5f2c5d2634cce
  
Dropped by
GuLoader
  
Dropped by
SHA256 cba55f555e37d682c6caca3f32f9aa8edda0215df7ab09a89b3e521b7f366237
  
Dropped by
SHA256 7e553245848f444d9fdab464de13902297a42eb44961084866af35b5633744e2
  
URLhaus
https://urlhaus.abuse.ch/url/335188/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments