Loader
NosyDownloader
According to ESET Research, this malware is used by LongNosedGoblin and executes a chain of obfuscated commands passed to a spawned PowerShell process as one long command line argument, meaning that t
According to ESET Research, this malware is used by LongNosedGoblin and executes a chain of obfuscated commands passed to a spawned PowerShell process as one long command line argument, meaning that the script is not stored on disk. Every subsequent stage is encoded with base64, where the last one is additionally deflated with gzip. The second stage bypasses AMSI. In this case, NosyDownloader uses Matt Graeber’s reflection method and disabling script logging techniques made available on GitHub to bypass AMSI.
Family metadata imported from Malpedia (Fraunhofer FKIE).