MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ede5c7b0267f4801a7bebb22a18035923e71a476ceb3b9d94f582aa199deb3f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ede5c7b0267f4801a7bebb22a18035923e71a476ceb3b9d94f582aa199deb3f0
SHA3-384 hash: 175d8ade484088d0f7d64415923bdc1cc02827bd53c0340a7697fed04dd99f2588a7eeb51269842c106c8c1b415943af
SHA1 hash: f2a572347c81b71c3a59f00a37f68db698715460
MD5 hash: acfcbd916fa04787e4388b339592dd78
humanhash: kansas-apart-magnesium-neptune
File name:acfcbd916fa04787e4388b339592dd78.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:131'072 bytes
First seen:2021-02-24 08:05:22 UTC
Last seen:2021-02-24 10:50:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cc882d101998a701353b40b0cd8c341a (6 x GuLoader, 1 x Formbook)
ssdeep 3072:FwVUPYLV4+aQTxxs+7Qx+2OGeoyrARHNlyCI2jnyIa3MAB+f/FwGIt1KFzOn1k4H:FwVUPYLV4+aQTxxs+7Qx+2OGeoyrARHs
Threatray 4 similar samples on MalwareBazaar
TLSH 0BD35BB173B7D9B7F41A1B728A32C6B963509F135E45484711F03A4F6634A826B30EFA
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
https://onedrive.live.com/download?cid=F57CEB019EB26E7D&resid=F57CEB019EB26E7D%21106&authkey=AHaSu1X93eKF7Jc

Intelligence

File Origin
# of uploads :
2
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO AAN2102002-V020.doc
Verdict:
Malicious activity
Analysis date:
2021-02-24 06:33:14 UTC
Tags:
ole-embedded exploit CVE-2017-11882
Link:
https://app.any.run/tasks/01964141-28b8-476f-aa67-25cb661d0662

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118922/
Detection(s):
SecuriteInfo.com.W32.AIDetectGBM.malware.01.6831.1556.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616340
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected Nanocore Rat
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357177 Sample: 3Fv4j323nj.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Sigma detected: Scheduled temp file as task from temp location 2->59 61 8 other signatures 2->61 8 3Fv4j323nj.exe 1 2->8         started        11 RegAsm.exe 4 2->11         started        14 dhcpmon.exe 4 2->14         started        16 2 other processes 2->16 process3 file4 71 Writes to foreign memory regions 8->71 73 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 8->73 75 Tries to detect Any.run 8->75 77 2 other signatures 8->77 18 RegAsm.exe 2 22 8->18         started        47 C:\Users\user\AppData\...\RegAsm.exe.log, ASCII 11->47 dropped 23 conhost.exe 11->23         started        25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        signatures5 process6 dnsIp7 49 194.5.98.182, 3765, 49743, 49744 DANILENKODE Netherlands 18->49 51 onedrive.live.com 18->51 53 2 other IPs or domains 18->53 39 C:\Users\user\AppData\Roaming\...\run.dat, COM 18->39 dropped 41 C:\Users\user\AppData\Local\...\tmpE4CC.tmp, XML 18->41 dropped 43 C:\Users\user\subfolder1\filename1.exe, PE32 18->43 dropped 45 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->45 dropped 63 Contains functionality to detect hardware virtualization (CPUID execution measurement) 18->63 65 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 18->65 67 Tries to detect Any.run 18->67 69 3 other signatures 18->69 29 schtasks.exe 1 18->29         started        31 schtasks.exe 1 18->31         started        33 conhost.exe 18->33         started        file8 signatures9 process10 process11 35 conhost.exe 29->35         started        37 conhost.exe 31->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ede5c7b0267f4801a7bebb22a18035923e71a476ceb3b9d94f582aa199deb3f0/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 08:06:06 UTC
AV detection:
5 of 48 (10.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xs4pmbgp5eadj56xmrkdabvsi7hdjdwz2z3twkplavkdgo6wpya._file
Verdict:
suspicious
Similar samples:
44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0
GuLoader
7b5541d2b21aecc162a92f39f7641986f5cecbbb840257bdb88fa028fc0455bf
GuLoader
9d97eea7bad17d4b303d3b7e4b4178f94462ba08c29c46a4e2f8707afde9bee3
GuLoader
b5d510179ab07f09c10cfa2ea9d95346fb696afd3f642af2882b3f4cd16d3ff5
GuLoader
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210224-5fsn3ey7ne/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
ede5c7b0267f4801a7bebb22a18035923e71a476ceb3b9d94f582aa199deb3f0
MD5 hash:
acfcbd916fa04787e4388b339592dd78
SHA1 hash:
f2a572347c81b71c3a59f00a37f68db698715460
Link:
https://www.unpac.me/results/67381f5a-2fbf-42af-8206-762979a41a2d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe ede5c7b0267f4801a7bebb22a18035923e71a476ceb3b9d94f582aa199deb3f0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1023406/
  
URLhaus
https://urlhaus.abuse.ch/url/1026953/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/118922/

Comments