MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8519cee2bbf5c257375b339d530b33f275db40c06de0f96911eb5b4f207f2c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



GuLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments

SHA256 hash: d8519cee2bbf5c257375b339d530b33f275db40c06de0f96911eb5b4f207f2c5
SHA3-384 hash: b6681a5072933373af886307d76fb3d6b92c06d2f1393cb2079c6fe54c5ac4ff892f0ad391bcd34672c4292289251cbd
SHA1 hash: b094f5e4c3792a05b7f307ad78d2e52cfcbf87b4
MD5 hash: 626cdeaa4696c819fd07921073f6c740
humanhash: black-uncle-march-four
File name:Original Shipment_Document.PDF.exe
Download: download sample
Signature GuLoader
File size:341'696 bytes
First seen:2022-08-05 09:22:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (532 x GuLoader, 330 x Formbook, 242 x Loki)
ssdeep 6144:JNeZc5FBkXpIwbmr2KEROaPdEY8mff3PgRsmq:JNRTr2KEROoT8mfH+q
TLSH T19F741AC1E199FCD5C428007659B9E521251BAB6EF0B8493B396A7519B0FF383607BE0F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4d0d4ccccdcec34 (4 x Loki, 1 x GuLoader)
Reporter @GovCERT_CH
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Slnggrebets Buginese Itemizer
Issuer:Slnggrebets Buginese Itemizer
Algorithm:sha256WithRSAEncryption
Valid from:2021-09-30T14:49:03Z
Valid to:2024-09-29T14:49:03Z
Serial number: 2a16dd32e2795ebb
Thumbprint Algorithm:SHA256
Thumbprint: 1860fbbe1c07e5046864295e0ae0ba476642d85716e6ddb0c4d6e2bf3405db86
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
1
# of downloads :
265
Origin country :
CH CH
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Original Shipment_Document.PDF.exe
Verdict:
Malicious activity
Analysis date:
2022-08-05 09:25:02 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore, GuLoader
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Mass process execution to delay analysis
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: NanoCore
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected GuLoader
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 679174 Sample: Original Shipment_Document.... Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 70 tuk.linkpc.net 2->70 72 googlehosted.l.googleusercontent.com 2->72 74 2 other IPs or domains 2->74 88 Snort IDS alert for network traffic 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 11 other signatures 2->94 9 Original Shipment_Document.PDF.exe 30 2->9         started        13 CasPol.exe 4 2->13         started        signatures3 process4 file5 66 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->66 dropped 68 C:\Users\user\AppData\Local\...\System.dll, PE32 9->68 dropped 96 Obfuscated command line found 9->96 98 Writes to foreign memory regions 9->98 100 Tries to detect Any.run 9->100 15 CasPol.exe 1 22 9->15         started        20 cmd.eXe 9->20         started        22 cmd.eXe 9->22         started        26 62 other processes 9->26 24 conhost.exe 13->24         started        signatures6 process7 dnsIp8 76 drive.google.com 142.250.179.174, 443, 49791 GOOGLEUS United States 15->76 78 googlehosted.l.googleusercontent.com 142.250.181.225, 443, 49792 GOOGLEUS United States 15->78 80 tuk.linkpc.net 188.127.230.176, 4726, 49794, 49799 DHUBRU Russian Federation 15->80 62 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 15->62 dropped 64 C:\Users\user\AppData\Local\...\tmp6DD1.tmp, XML 15->64 dropped 82 Tries to detect Any.run 15->82 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->84 86 Uses schtasks.exe or at.exe to add and modify task schedules 20->86 28 Conhost.exe 20->28         started        30 schtasks.exe 1 22->30         started        32 Conhost.exe 22->32         started        34 conhost.exe 22->34         started        36 Conhost.exe 26->36         started        38 Conhost.exe 26->38         started        40 Conhost.exe 26->40         started        42 51 other processes 26->42 file9 signatures10 process11 process12 44 conhost.exe 30->44         started        46 Conhost.exe 32->46         started        48 Conhost.exe 36->48         started        50 Conhost.exe 38->50         started        52 Conhost.exe 40->52         started        54 Conhost.exe 42->54         started        56 Conhost.exe 42->56         started        58 Conhost.exe 42->58         started        60 Conhost.exe 42->60         started       
Threat name:
Win32.Trojan.Guloader
Status:
Malicious
First seen:
2022-08-05 01:47:39 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cloudeye
Result
Malware family:
nanocore
Score:
  10/10
Tags:
family:guloader family:nanocore downloader keylogger persistence spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
tuk.linkpc.net:4726
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SH256 hash:
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906
MD5 hash:
675c4948e1efc929edcabfe67148eddd
SHA1 hash:
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e
SH256 hash:
0b2277d8aaf36e01aca3ae33e227b44bebc541a9c5cef6eb4fef93e96821a6cd
MD5 hash:
b1ba7a8263281244782ca5604876cb2c
SHA1 hash:
b8523dee6d7e74512a05c60cc35c0fddac370252
SH256 hash:
d8519cee2bbf5c257375b339d530b33f275db40c06de0f96911eb5b4f207f2c5
MD5 hash:
626cdeaa4696c819fd07921073f6c740
SHA1 hash:
b094f5e4c3792a05b7f307ad78d2e52cfcbf87b4

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe d8519cee2bbf5c257375b339d530b33f275db40c06de0f96911eb5b4f207f2c5

(this sample)

  
Dropped by
guloader
  
Delivery method
Distributed via e-mail attachment

Comments