MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15520c752a3375cd92bee021404e10830d4732681be2e50b3d293bcbd3c1e262. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15520c752a3375cd92bee021404e10830d4732681be2e50b3d293bcbd3c1e262
SHA3-384 hash: f9dc92190e6e3e07d6c13f6158bf70c72fc779e1afbc1058d1abd447c500cf84ed163f176dc99ada54364ee70cdb6d1d
SHA1 hash: b83c2197690743613c3eebad0414b2710c572f61
MD5 hash: 5461a4c1474404e1358f649344592991
humanhash: november-kentucky-april-lamp
File name:DHL Shipment Notification REF 210821.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:155'648 bytes
First seen:2021-08-22 19:08:52 UTC
Last seen:2021-08-22 20:02:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fab4938ac1c8c9d7cabba8b6fe9c5ef2 (1 x GuLoader, 1 x NanoCore)
ssdeep 1536:HCU8UrLPqO6P/MwdU7EKorkHPP3QSERooPzKcRdUbBEoBSy2+1RL:iUzrbiXMwGorn/ioPc/N
Threatray 4'279 similar samples on MalwareBazaar
TLSH T1BAE3642BB9048528D54D68F0B4356BA23315FF0762491FEF7084FEA876798A7B49630F
dhash icon d2fefefefcf8d2c3 (2 x NanoCore, 1 x GuLoader)
Reporter James_inthe_box
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Shipment Notification REF 210821.exe
Verdict:
No threats detected
Analysis date:
2021-08-22 19:09:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dce47d98-40bc-4b2c-81cf-f6eb0b0f53b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181283/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.15708.29998.14849.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae441a36-c927-4bb8-81e0-7abe4f62f3e2
Result
Threat name:
Nanocore GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837137
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Found malware configuration
GuLoader behavior detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 469568 Sample: DHL Shipment Notification R... Startdate: 22/08/2021 Architecture: WINDOWS Score: 100 45 darkeye.hopto.org 2->45 47 s3-r-w.us-east-2.amazonaws.com 2->47 49 7po.s3.us-east-2.amazonaws.com 2->49 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 8 other signatures 2->67 9 DHL Shipment Notification REF 210821.exe 1 2->9         started        12 korsvis.exe 2->12         started        14 korsvis.exe 2->14         started        16 RegAsm.exe 4 2->16         started        signatures3 process4 signatures5 77 Writes to foreign memory regions 9->77 79 Tries to detect Any.run 9->79 81 Hides threads from debuggers 9->81 18 RegAsm.exe 1 19 9->18         started        83 Antivirus detection for dropped file 12->83 85 Multi AV Scanner detection for dropped file 12->85 23 RegAsm.exe 8 12->23         started        25 RegAsm.exe 1 14->25         started        27 conhost.exe 16->27         started        process6 dnsIp7 51 darkeye.hopto.org 185.244.30.240, 1606, 49720, 49721 DAVID_CRAIGGG Netherlands 18->51 53 s3-r-w.us-east-2.amazonaws.com 52.219.105.10, 443, 49715 AMAZON-02US United States 18->53 55 7po.s3.us-east-2.amazonaws.com 18->55 39 C:\Users\user\Culebra7\korsvis.exe, PE32 18->39 dropped 41 C:\Users\user\AppData\Roaming\...\run.dat, MPEG-4 18->41 dropped 43 C:\Users\user\AppData\Local\...\tmpDA2E.tmp, XML 18->43 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 18->69 71 Tries to detect Any.run 18->71 73 Hides threads from debuggers 18->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->75 29 schtasks.exe 1 18->29         started        31 conhost.exe 18->31         started        57 52.219.102.186, 443, 49737 AMAZON-02US United States 23->57 59 7po.s3.us-east-2.amazonaws.com 23->59 33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        file8 signatures9 process10 process11 37 conhost.exe 29->37         started       
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/15520c752a3375cd92bee021404e10830d4732681be2e50b3d293bcbd3c1e262/
Threat name:
ByteCode-MSIL.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2021-08-20 12:53:41 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cvjay5jkgn243ev64aquatqqqmguomtidprokcz5fe54xu6b4jra._file
Verdict:
suspicious
Similar samples:
22b13820a6139c7682d5e1108aefde2200dc593e14fe7fca28eb27d5e616bef7
GuLoader
48aac53ca47241dd233ec894895239d5539c53b5e35310389529724a457555a7
GuLoader
5e74833e8f9a6e8a92cca35de25fb0d6b68c84d0bc22b9c939b51737acb83494
GuLoader
7c72d2e12ed2db6353a373d16c07eaf27fbf110c75a2dc7535ec7d624cb42012
GuLoader
97e8e53c9ad758050c08da0cf14f7024dba1d7710b0f612f13d2b5a458dd13bb
GuLoader
9e313db794797641d0c55ff15c1f663e13893bb443bb84e0dd212f8a7aeca598
GuLoader
ae83f208925ec791bd10f37e0cd1bfc98473ea586c4814288a243c7d579c2e55
GuLoader
c3ca97abe1f0584928691bf13d02b25a4e20288a2477e466d67000c0bbe04df3
GuLoader
daddd42058897ef8a960a504ff3022b9cea4e6ae3c943be987300abff4706385
GuLoader
db48dc160b1f48b8939b0d49c5f0bee2a28bc3b340cff62cea8da50424e1afea
GuLoader
+ 4'269 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:nanocore downloader evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210822-h68src25l6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks QEMU agent file
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
darkeye.hopto.org:1606
Unpacked files
SH256 hash:
15520c752a3375cd92bee021404e10830d4732681be2e50b3d293bcbd3c1e262
MD5 hash:
5461a4c1474404e1358f649344592991
SHA1 hash:
b83c2197690743613c3eebad0414b2710c572f61
Link:
https://www.unpac.me/results/19d0fe8c-43f3-4ed3-b657-0c12a97658d2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/15520c752a33/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15520c752a3375cd92bee021404e10830d4732681be2e50b3d293bcbd3c1e262

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/181283/

Comments