MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec7d770589233fc03c902c43e28579dfeea288d7e99c62b8f92ddc0c7ee70e21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	ec7d770589233fc03c902c43e28579dfeea288d7e99c62b8f92ddc0c7ee70e21
SHA3-384 hash:	46ff74979ffcb94dd24cd2228d676a066b726a6e5a47ecbbd39bf6f640b75bba43db73aeb111925ecf8b3d89841eefb8
SHA1 hash:	37d6972481898c2938815ca5d13dec3ce027ebbf
MD5 hash:	b6dd6a01deaf8b24ed5e9a900e0a7b03
humanhash:	queen-alanine-romeo-potato
File name:	cf091876e886d79bb1d9dad1b9764110.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	207'360 bytes
First seen:	2020-03-26 19:04:09 UTC
Last seen:	2020-04-01 16:49:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	6144:QLV6Bta6dtJmakIM52KcXD+tGrXgP159WR1:QLV6BtpmkVKcH7g1vI1
Threatray	1'413 similar samples on MalwareBazaar
TLSH	C314CF1A3BF84A2FE2DE46B9612252428779C2E398C3F3DE58D455B75F663E40A070D3
Reporter	abuse_ch
Tags:	exe GuLoader NanoCore

abuse_ch

Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1zKDilxwMK2inlQsFzKtZB4VLNdfqYrlj

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Nanocore-5

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Nanocore

Status:

Malicious

First seen:

2020-03-26 19:35:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

31 of 31 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5r6xobmjem74apeqfrb6fblz37xkfcgx5gogfohzfxoay7xhbyqq._file

Verdict:

malicious

Label(s):

nanocorerat

hawkeyekeylogger

emotet

NanoCore

17fa709f1a866d573f997f8f1288d537de382cccc5a4f9c1811db9da34c016b2

NanoCore

38701fe4b63d1436ba2e26cc7e268327299b58bcccbf074bfb2cbbcf57ceb2ea

NanoCore

4c4881464fd7d95cfe2d60dfd7beff8dd9c3426c15c945500db1e8714374556c

NanoCore

4cc5f468994fd62cc832482404cfc7e45232f059b9d355d3df41535a170b3470

NanoCore

5e3140ed7841e6893114a0d4d9c5ee239736449aaba20d2c8939a051e5ef21c5

NanoCore

90474a0270106b33e3208a63041d2e4d013b1d2b415bf3bf44e9a5ab685d0531

NanoCore

944b633d92799fe6aeefae5de7945b6b0b69020ed669d9d7e68ebd80868771e6

NanoCore

bd23c3a3d5215798a115525fe15803ee5f4393ae77d49e081770761beecb14ea

NanoCore

be1a45ae85bb530727a5e96d3dc19eeb0542991ddb5a747b93665b4599c70ea0

NanoCore

+ 1'403 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

c25ff288673274c7c9d9ee7e1e6f4cab9ea077518341f63826f23b74ccb41723

NanoCore

exe ec7d770589233fc03c902c43e28579dfeea288d7e99c62b8f92ddc0c7ee70e21

(this sample)

Dropped by

MD5 cf091876e886d79bb1d9dad1b9764110

Dropped by

MD5 282ab479d117572da6684ebacdc1eda6

Dropped by

GuLoader

Dropped by

SHA256 c25ff288673274c7c9d9ee7e1e6f4cab9ea077518341f63826f23b74ccb41723

Dropped by

SHA256 e86e5c193893be78064bcb730c37317c6801aadd824c0221bdb190949a7ae450

URLhaus

https://urlhaus.abuse.ch/url/330524/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample