MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 266fb950b47e675141744de2c8e756706d50eeab5092d2dda233cb2ed0c2fb9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	266fb950b47e675141744de2c8e756706d50eeab5092d2dda233cb2ed0c2fb9c
SHA3-384 hash:	8ff0c6955229a4b3464104e96540044b14ad67d856236423acae7f7021c4d6d04ebb21c2c0fd69a9a58d66a1189226a5
SHA1 hash:	ad7865c21cd90aa5e21fb1b1bcd4a63a8543cc82
MD5 hash:	d7a95c944e0adf5a3bb6c56f5b5c6d5a
humanhash:	helium-moon-quebec-alabama
File name:	860b03a2e8803dfcf77ec7d79ddb7efd.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	207'360 bytes
First seen:	2020-03-31 01:25:09 UTC
Last seen:	2020-03-31 18:55:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIjdlLb/PQWQIUyPR2RmZZU//Kg:gLV6Bta6dtJmakIM5ElnoTIUyK8ZU/H3
Threatray	1'095 similar samples on MalwareBazaar
TLSH	ED14CF267BA84A3FE2CE8A78611241128378C2E39DD3F7DE58D465B75F627E50A071C3
Reporter	abuse_ch
Tags:	exe GuLoader NanoCore

abuse_ch

Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=19LyVb-ncmHG4xlD6COSsQXht_VHtXf8c

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Nanocore-5

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Nanocore

Status:

Malicious

First seen:

2020-03-31 01:35:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 31 (96.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ezx3sufupztvcqlujxrmrz2wobwvb3vlkcjnfxncgpfs5ugc7ooa._file

Verdict:

malicious

Label(s):

nanocorerat

NanoCore

654a06ec25677a527417902e8c2bec0b87d70c8503d855bcaa346afcd342f9a2

NanoCore

6afb227c640c59b8f64fc5a16adf0a25e946cf47198992bc44044976a8c3bcf3

NanoCore

6b38ac5b7be8f62d0e7645cdd3553ac86a06ccbbd6de9865f5bdf00bf62822e6

NanoCore

6ba16889c485514ebaecaded7ef1b207f53d9ea0478492e32051adff9a491c5d

NanoCore

7cdf1294eb40f2a207f55cbb1a68761135500f64bb077a7f4ba9a7d3098850f1

NanoCore

84087e77b6088ef6e3d9a61f088ea5c6b6cb9bf1c7d852df6a12e745ab112c11

NanoCore

b5c0a89f74b62e5383ce300111541a706ac618a73a7b972df306a8c02f3dfd55

NanoCore

cceb9c5e056195ade68f26cba3761280fdb806bf44f4c7c234f295a6a663a320

NanoCore

ddf157853be3dbebba9eea0db9815017a0c7d8dded210a5c291d7b0ccd2fd2be

NanoCore

+ 1'085 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

aef0b21c2c646e33e2e19004c8ca42cb518eaf1cb6bfe0c5f9dd73b7ddc48cce

NanoCore

exe 266fb950b47e675141744de2c8e756706d50eeab5092d2dda233cb2ed0c2fb9c

(this sample)

Dropped by

MD5 860b03a2e8803dfcf77ec7d79ddb7efd

Dropped by

MD5 9ec26b4e019f5f42029643f7da3b6763

Dropped by

GuLoader

Dropped by

SHA256 aef0b21c2c646e33e2e19004c8ca42cb518eaf1cb6bfe0c5f9dd73b7ddc48cce

Dropped by

SHA256 f00e42475ccab21d213dd76202c8770a9165e3cd2258a6a79340ec461ce1a282

URLhaus

https://urlhaus.abuse.ch/url/332563/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample