MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3016a6fd03e57ee760ab4c79ec8822caa4eda8c24236d7eec230f6ca6f4d785a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3016a6fd03e57ee760ab4c79ec8822caa4eda8c24236d7eec230f6ca6f4d785a
SHA3-384 hash: 95bd37cde7d63998de77829cb45ba5b724c4121a0cc0d7bd577152ecce30bc000fc047f20467f828deee39517a84d236
SHA1 hash: 47aa16a6891b04af418270ca4ed318314c3464c6
MD5 hash: 365d37e09e2514a935e87f9ab793ffc9
humanhash: alanine-king-jupiter-solar
File name:365d37e0_by_Libranalysis
Download: download sample
Signature GuLoader
Create hunting rule
File size:112'352 bytes
First seen:2021-05-19 19:01:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ad518cf51907bc8ca22f7a1354a4250 (11 x GuLoader, 2 x RemcosRAT)
ssdeep 1536:cmmjJbxmksikwUaORVWiIK35JcX0xbiP:cmUxFsitOa+JJcobO
Threatray 1'530 similar samples on MalwareBazaar
TLSH DEB3A3BAB5BBE470FE1980F0670C47EC81572A78C815495BDCC62518A7F2A76D6203FB
Reporter Libranalysis
Tags:GuLoader


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PLF.exe
Verdict:
Malicious activity
Analysis date:
2021-05-19 12:06:04 UTC
Tags:
trojan nanocore rat
Link:
https://app.any.run/tasks/87568d22-4e6d-4677-9ef4-db728f37ecde

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/158751/
Detection(s):
SecuriteInfo.com.Variant.Jaik.45934.1124.23749.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/785304
Signature
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 417707 Sample: 365d37e0_by_Libranalysis Startdate: 19/05/2021 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Potential malicious icon found 2->50 52 Found malware configuration 2->52 54 8 other signatures 2->54 8 365d37e0_by_Libranalysis.exe 2->8         started        11 dhcpmon.exe 4 2->11         started        13 RegAsm.exe 4 2->13         started        15 dhcpmon.exe 3 2->15         started        process3 signatures4 64 Writes to foreign memory regions 8->64 66 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 8->66 68 Tries to detect Any.run 8->68 70 2 other signatures 8->70 17 RegAsm.exe 1 21 8->17         started        22 conhost.exe 11->22         started        24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        process5 dnsIp6 44 tzitziklishop.ddns.net 103.89.90.73, 1604, 49715, 49716 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 17->44 46 hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu 103.232.54.201, 49711, 80 AIMS-MY-NETAIMSDataCentreSdnBhdMY Viet Nam 17->46 38 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 17->38 dropped 40 C:\Users\user\AppData\Local\...\tmp8166.tmp, XML 17->40 dropped 42 C:\Program Files (x86)\...\dhcpmon.exe, PE32 17->42 dropped 56 Uses schtasks.exe or at.exe to add and modify task schedules 17->56 58 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 17->58 60 Tries to detect Any.run 17->60 62 3 other signatures 17->62 28 schtasks.exe 1 17->28         started        30 schtasks.exe 1 17->30         started        32 conhost.exe 17->32         started        file7 signatures8 process9 process10 34 conhost.exe 28->34         started        36 conhost.exe 30->36         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3016a6fd03e57ee760ab4c79ec8822caa4eda8c24236d7eec230f6ca6f4d785a/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 13:50:06 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=galkn7id4v7ooyfljr46zcbczkso3kgcii3np3wcgd3mu32npbna._file
Verdict:
suspicious
Similar samples:
02738721df55077c4a8b8826e7cdd0243003ba4b34cb71f314ad05a29330c9c3
GuLoader
2b63f1488d9a8396513a3dd2ca07b44adee4b1187dc5e6d94934ed6271e76f5d
GuLoader
311bf44fb33aa4661e8630fcb2830f22714427133527c1768f0b0ceaad502533
GuLoader
34a666042ff3ad45f4e1e37776cc55d4f4fdd1bcd8233852839d55fc076410d1
GuLoader
6670269c08d80b6511029d06dfa07711a5e0bb1494107da5dc9d9d5661f010f3
GuLoader
8d6f73da5150cd26789a9a0e0643f69b520306680523d91cb21438ad2e6fa80c
GuLoader
b0ce84526989dd02968e8ddae780d47de367ece10dbfc9d472893531abd08825
GuLoader
d5956571b9e9bc5c925d5b26a0bd0771c636bff202c0adb7d1d9ad6efe487bae
GuLoader
d75c69a49a30595964989b72499ec0e303ff42a0e2a334dda22a9cd9fd7e8ba5
GuLoader
e0f53d67eb5d4a5bab2f6d0bbaff502896e12572b97bf0350c88cfac3fcc5b8f
GuLoader
+ 1'520 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:nanocore downloader evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210519-7cyvzp1816/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks QEMU agent file
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/Plugman%20nano_CyboYajPN254.bin
tzitziklishop.ddns.net:1604
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3016a6fd03e57ee760ab4c79ec8822caa4eda8c24236d7eec230f6ca6f4d785a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 3016a6fd03e57ee760ab4c79ec8822caa4eda8c24236d7eec230f6ca6f4d785a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/158751/
  
URLhaus
https://urlhaus.abuse.ch/url/1255744/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-19 20:09:00 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing