MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10b42560903d6d2fe79b9450f56dae0d2a19960cda5d53b8b70b7f7a075bb2ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10b42560903d6d2fe79b9450f56dae0d2a19960cda5d53b8b70b7f7a075bb2ea
SHA3-384 hash: eafb78f7525fff274fe63c9ee4c50059461130c588a531369bf43daa7531480afb942d340a977dc40baa7cd75c916f4c
SHA1 hash: f06de0148eb1152b39b42675cc96de7a45c53b07
MD5 hash: 89661f2576e74a1fd0b6c851987498a4
humanhash: autumn-march-sierra-rugby
File name:89661f2576e74a1fd0b6c851987498a4.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:102'400 bytes
First seen:2021-06-01 07:07:07 UTC
Last seen:2021-06-01 08:08:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 42cd9a917403a1f7a071034a21284723 (1 x GuLoader)
ssdeep 768:NKSFLXvf5iNnd4slA+rrwNVCbPQ6ENdj9wIyRQBr2nY7YdomOSgmfbkBWfzvhCJT:rL/f5iwsTwNVCTsNmnY7YdISg/ap0
Threatray 5'261 similar samples on MalwareBazaar
TLSH E1A38332F210B369F54A83B02618AB5F15346F73444BED06F781AF1AE9747D370E8A96
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
http://mcesb.com/cache/x7_IBFhipPk100.bin
http://farmersschool.ge/x7_IBFhipPk100.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AN_8383883773636.xlsx
Verdict:
Malicious activity
Analysis date:
2021-06-01 06:29:26 UTC
Tags:
encrypted trojan exploit CVE-2017-11882 nanocore rat
Link:
https://app.any.run/tasks/28fc42b0-6ff7-4fdc-be96-dda25695b37f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/163713/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.10121.10652.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/795040
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 427439 Sample: ANBoKU1Ei8.exe Startdate: 01/06/2021 Architecture: WINDOWS Score: 100 45 rnnfibi.hopto.org 2->45 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Potential malicious icon found 2->55 57 Found malware configuration 2->57 59 10 other signatures 2->59 9 ANBoKU1Ei8.exe 2->9         started        12 RegAsm.exe 4 2->12         started        14 dhcpmon.exe 4 2->14         started        16 dhcpmon.exe 3 2->16         started        signatures3 process4 signatures5 69 Writes to foreign memory regions 9->69 71 Tries to detect Any.run 9->71 73 Hides threads from debuggers 9->73 18 RegAsm.exe 1 27 9->18         started        23 conhost.exe 12->23         started        25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        process6 dnsIp7 47 mcesb.com 103.51.43.145, 49759, 80 X86NETWORK-AS-APX86NetworkSdnBhdMY Malaysia 18->47 49 farmersschool.ge 91.212.213.18, 49760, 80 SERVGE-ASDatacenterandHostingProviderGE Georgia 18->49 51 rnnfibi.hopto.org 199.195.253.181, 49761, 49762, 49763 PONYNETUS United States 18->51 39 C:\Users\user\AppData\Roaming\...\run.dat, data 18->39 dropped 41 C:\Users\user\AppData\Local\...\tmpB50E.tmp, XML 18->41 dropped 43 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->43 dropped 61 Uses schtasks.exe or at.exe to add and modify task schedules 18->61 63 Tries to detect Any.run 18->63 65 Hides threads from debuggers 18->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 29 schtasks.exe 1 18->29         started        31 schtasks.exe 1 18->31         started        33 conhost.exe 18->33         started        file8 signatures9 process10 process11 35 conhost.exe 29->35         started        37 conhost.exe 31->37         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/10b42560903d6d2fe79b9450f56dae0d2a19960cda5d53b8b70b7f7a075bb2ea/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-05-31 22:49:31 UTC
AV detection:
3 of 44 (6.82%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cc2ckyeqhvws7z43sripk3nobuvbtfqm3jovhofxbn7xub23wlva._file
Verdict:
malicious
Similar samples:
2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3
GuLoader
5e3c17b9a8fb04fc0de847833073fba6b1f5b4c302c003cfb888f93e4bd54adf
GuLoader
60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5
GuLoader
73b83d70f24909aea7920a86029b43198979d7e31ab768619371e12fc7399f93
GuLoader
8179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17
GuLoader
96beaff70c51e04f38db0943eddd24ecc142ef2815d536b82655e25fbf5a54db
GuLoader
b19739ad003d5bbd5f2fcc99f0d19d22cb389ae78ca81f31472cff469e53cf2c
GuLoader
d4dadc7dc5e003905cdd8f287bec1c4d751d8d9913689cb0894feb999917d791
GuLoader
e6cd47abf6c7c73449bd05329a0e30a48012c947d8762dd2429333af8d7bc198
GuLoader
faf4898dc104ee27f1d2adafa647094f57d9b282d6b3e7654c78e3d55eada723
GuLoader
+ 5'251 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:nanocore downloader evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210601-2b8tq8ds2x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks QEMU agent file
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
http://mcesb.com/cache/x7_IBFhipPk100.binhttp://farmersschool.ge/x7_IBFhipPk100.bin
rnnfibi.hopto.org:54666
127.0.0.1:54666
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/10b42560903d6d2fe79b9450f56dae0d2a19960cda5d53b8b70b7f7a075bb2ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 10b42560903d6d2fe79b9450f56dae0d2a19960cda5d53b8b70b7f7a075bb2ea

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1310545/
  
URLhaus
https://urlhaus.abuse.ch/url/1306418/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/163713/

Comments