MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bc8c57bc1c743b7607ba2e15670591551241fd3b129c266c5894159e72d1c72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bc8c57bc1c743b7607ba2e15670591551241fd3b129c266c5894159e72d1c72
SHA3-384 hash: e10d60a3ad3fdbaf56a7544bc7f7317e14741912061bfece5320e41156b55c5c22bee972383885426ce39bb1d40feb46
SHA1 hash: e938bab991e837c04b85051dd31bc10190df952c
MD5 hash: 148e404cba10f384eeb538dac9912f13
humanhash: south-delta-maryland-virginia
File name:gonu.exe
Download: download sample
File size:2'541'928 bytes
First seen:2021-02-11 08:39:58 UTC
Last seen:2021-02-11 11:24:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a1496c94d52a035fe47259ee6587b7 (5 x RemoteManipulator, 2 x CoinMiner, 1 x WSHRAT)
ssdeep 49152:CUclPhp9vH1VjR6bpB+wdsgKhyZf6ENdzcxE1TnB3IaN3zpJoGDGDaFfSgfNf:g1ybCg4yZSENdzfTnB4aN3rfSgFf
Threatray 4 similar samples on MalwareBazaar
TLSH 92C5125D63A451E4E9B36538CF91DA36D7B13C000B32C39F22E55E4B3F9B2D2492AB61
Reporter JAMESWT_WT
Tags:CULNADY LTD LTD multiple detections signed

Code Signing Certificate

Organisation:CULNADY LTD LTD
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2020-12-17T00:00:00Z
Valid to:2021-12-17T23:59:59Z
Serial number: 19beff8a6c129663e5e8c18953dc1f67
Thumbprint Algorithm:SHA256
Thumbprint: 32dd1fef5cb44dc25ad8762a41f12c23a4247f381f384b4cfee97bcc7ce7ca43
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gonu.exe
Verdict:
No threats detected
Analysis date:
2021-02-11 08:41:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9ff6da0e-8b54-475e-98ca-4a9b35cfd900

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116714/
Detection(s):
SecuriteInfo.com.PowerShell.Siggen.1892.18387.2827.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching cmd.exe command interpreter
Launching a process
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Deleting a recently created file
Forced system process termination
Creating a file in the Windows subdirectories
Launching the process to interact with network services
Launching a service
Loading a system driver
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
DNS request
Running batch commands
Enabling autorun for a service
Downloading the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
69 / 100
Link:
https://www.joesandbox.com/analysis/605504
Signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates a Windows Service pointing to an executable in C:\Windows
Creates files in alternative data streams (ADS)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Dot net compiler compiles file from suspicious location
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 351788 Sample: gonu.exe Startdate: 11/02/2021 Architecture: WINDOWS Score: 69 71 Antivirus detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Sigma detected: Dot net compiler compiles file from suspicious location 2->75 77 Bypasses PowerShell execution policy 2->77 10 gonu.exe 11 2->10         started        process3 file4 63 C:\Users\user\AppData\...\Readme.txt:meta, Microsoft 10->63 dropped 65 C:\Users\user\AppData\Local\...\Readme.txt, ASCII 10->65 dropped 83 Creates files in alternative data streams (ADS) 10->83 14 cmd.exe 1 10->14         started        signatures5 process6 process7 16 wscript.exe 1 14->16         started        19 cmd.exe 1 14->19         started        21 conhost.exe 1 14->21         started        23 more.com 1 14->23         started        signatures8 67 Wscript starts Powershell (via cmd or directly) 16->67 69 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 16->69 25 powershell.exe 60 16->25         started        29 extrac32.exe 10 19->29         started        process9 file10 55 C:\Windows\Branding\mediasvc.png, PE32+ 25->55 dropped 57 C:\Windows\Branding\mediasrv.png, PE32+ 25->57 dropped 59 C:\Users\user\AppData\...\dcczv0if.cmdline, UTF-8 25->59 dropped 79 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 25->79 81 Powershell drops PE file 25->81 31 reg.exe 25->31         started        34 csc.exe 25->34         started        37 csc.exe 25->37         started        39 5 other processes 25->39 61 C:\Users\user\AppData\Local\Temp\ready.ps1, ASCII 29->61 dropped signatures11 process12 file13 85 Creates a Windows Service pointing to an executable in C:\Windows 31->85 51 C:\Users\user\AppData\Local\...\dcczv0if.dll, PE32 34->51 dropped 41 cvtres.exe 34->41         started        53 C:\Users\user\AppData\Local\...\ptw5p55h.dll, PE32 37->53 dropped 43 cvtres.exe 37->43         started        45 conhost.exe 39->45         started        47 conhost.exe 39->47         started        49 conhost.exe 39->49         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bc8c57bc1c743b7607ba2e15670591551241fd3b129c266c5894159e72d1c72/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-11 07:55:45 UTC
File Type:
PE+ (Exe)
Extracted files:
23
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2c8ea0f991d74146f056e4ed453e92ad1798daf2878f5520f54cf3d70d607613
72239d0cba7a80895957b43d854680fb2fefbaa8b1f68b001ce5905c32ddcde1
b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2
ba483bee9e68e055952e71255eb24bd6ca52c1238d3efe96bcb66506e80e6792
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210211-tyk4ngwz9s/
Behaviour
NTFS ADS
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
4bc8c57bc1c743b7607ba2e15670591551241fd3b129c266c5894159e72d1c72
MD5 hash:
148e404cba10f384eeb538dac9912f13
SHA1 hash:
e938bab991e837c04b85051dd31bc10190df952c
Link:
https://www.unpac.me/results/edc9e601-3d04-4f42-a2d9-c36b9dd4cec8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bc8c57bc1c743b7607ba2e15670591551241fd3b129c266c5894159e72d1c72

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4bc8c57bc1c743b7607ba2e15670591551241fd3b129c266c5894159e72d1c72

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/116714/
  
URLhaus
https://urlhaus.abuse.ch/url/975095/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1000963/

Comments