MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d9cdd7526f05343fda35aca3e0e6939abed8a037a0a871ce9ccd0e69a3741f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d9cdd7526f05343fda35aca3e0e6939abed8a037a0a871ce9ccd0e69a3741f2
SHA3-384 hash: aa2ecc3ab26d2a67e5faa51c6c9643b9112c4a3aab0acb0e9fb09a9dedddaf02e7d6290c2d1e40cc24358bc00012943e
SHA1 hash: 3684266021fb50f901c431a3c050ee4edad5922a
MD5 hash: 0d67a0b9a6e5dedc5ca37954baf54b17
humanhash: salami-pennsylvania-ceiling-august
File name:DLAWT.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:426'184 bytes
First seen:2023-04-20 12:31:22 UTC
Last seen:2023-05-13 22:49:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 6144:agORaMgJiUyKoFK1+vIG1yWNtNIFOuO9l9jtEuOoy7Dy9W1ykZsdHXxjQI5QY9w0:agvZCFK1+vIG1ztGO39lSHyzkWX5QTyn
Threatray 1'523 similar samples on MalwareBazaar
TLSH T16A94127503A1C656EA715E30C97EE2F6A9A1AD22C67C572337307FDDB832381C60A365
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter ankit_anubhav
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-04-17T10:45:33Z
Valid to:2025-04-16T10:45:33Z
Serial number: 24568dcc89a2321870ef766acf1e0a13b2d2e74d
Thumbprint Algorithm:SHA256
Thumbprint: 581b16dce6c21cb2b751bc3fd39cfbb8f16f0dc202fe9d42c1b701b2d3275d0a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
TH TH
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
DLAWT.scr
Verdict:
Malicious activity
Analysis date:
2023-04-20 12:33:27 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/795c1ce0-f1c8-452e-bf3a-d142e204693d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383768/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.22270.11031.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Delayed reading of the file
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80665/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
guloader icedid overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/644130c3cf53491c99888857/reports/bc29cd77-4c3f-498c-a5b8-0c0205ebed4c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4d9cdd7526f05343fda35aca3e0e6939abed8a037a0a871ce9ccd0e69a3741f2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a1b8d80f-d1ac-47f2-9cea-07abd966f0c7
Result
Threat name:
GuLoader, NanoCore
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217996
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 850943 Sample: DLAWT.scr.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 50 googlehosted.l.googleusercontent.com 2->50 52 drive.google.com 2->52 54 doc-14-2s-docs.googleusercontent.com 2->54 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Sigma detected: NanoCore 2->66 68 2 other signatures 2->68 9 DLAWT.scr.exe 1 24 2->9         started        13 CasPol.exe 4 2->13         started        15 dslmon.exe 4 2->15         started        17 dslmon.exe 3 2->17         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\cksumvfs.dll, PE32+ 9->46 dropped 48 C:\Users\user\AppData\Local\...\System.dll, PE32 9->48 dropped 76 Writes to foreign memory regions 9->76 78 Tries to detect Any.run 9->78 19 CasPol.exe 1 20 9->19         started        24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        signatures6 process7 dnsIp8 56 googlehosted.l.googleusercontent.com 142.250.74.193, 443, 49791 GOOGLEUS United States 19->56 58 drive.google.com 172.217.16.142, 443, 49790 GOOGLEUS United States 19->58 60 213.152.161.138, 3692 GLOBALLAYERNL Netherlands 19->60 40 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->40 dropped 42 C:\Users\user\AppData\Local\...\tmpE3EC.tmp, XML 19->42 dropped 44 C:\Program Files (x86)\...\dslmon.exe, PE32 19->44 dropped 70 Uses schtasks.exe or at.exe to add and modify task schedules 19->70 72 Tries to detect Any.run 19->72 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->74 30 schtasks.exe 1 19->30         started        32 schtasks.exe 1 19->32         started        34 conhost.exe 19->34         started        file9 signatures10 process11 process12 36 conhost.exe 30->36         started        38 conhost.exe 32->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d9cdd7526f05343fda35aca3e0e6939abed8a037a0a871ce9ccd0e69a3741f2/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwon25jg6bjuh7ndllfd4dtjhgv63cqdpifiohhjztiongrxihza._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
GuLoader
4709918939b87a9c054e217770dc158f33c7446815b548d5dabd4a6b138b61b8
GuLoader
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
GuLoader
799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21
GuLoader
951049989eb772c71ec4fa9f0685ab45cae755ca5d34cf3089fd791999fafa1c
GuLoader
cf890935581d55d30342de2c71190393c3c03b99258ba7a1e3e3139099ee0b97
GuLoader
cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3
GuLoader
+ 1'513 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:nanocore downloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230420-pql2cahg97/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
213.152.161.138:3692
Unpacked files
SH256 hash:
b7823a15e7b1866ba3d77248f750b66505859d264cfc39d8c8c5e812f8ae4a81
MD5 hash:
a1da6788aeaf78ca4ae1dece8019e49d
SHA1 hash:
d770155e6e9aa69223be198c44a8da26a1756d89
Link:
https://www.unpac.me/results/663c23f8-b334-4820-a120-895ede285721/
SH256 hash:
4d9cdd7526f05343fda35aca3e0e6939abed8a037a0a871ce9ccd0e69a3741f2
MD5 hash:
0d67a0b9a6e5dedc5ca37954baf54b17
SHA1 hash:
3684266021fb50f901c431a3c050ee4edad5922a
Link:
https://www.unpac.me/results/663c23f8-b334-4820-a120-895ede285721/
Malware family:
NanoCore
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4d9cdd7526f0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d9cdd7526f05343fda35aca3e0e6939abed8a037a0a871ce9ccd0e69a3741f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/383768/

Comments