MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 feec98d66a46070620824dadc73263034601ee4fbd6341997b6090693ed8b0c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: feec98d66a46070620824dadc73263034601ee4fbd6341997b6090693ed8b0c6
SHA3-384 hash: 1a4ea2210460b9a8241764a14977928d681d0be6e0f40fa47214c52d9145e1acef38a8e4c14502cd0727367f5e7085ad
SHA1 hash: ca32ead33f9583bfff92d2b55b109e5879874063
MD5 hash: 0ba742f6d1c206638efd5064acd6f862
humanhash: kilo-sweet-timing-king
File name:0ba742f6_by_Libranalysis
Download: download sample
Signature GuLoader
Create hunting rule
File size:112'336 bytes
First seen:2021-05-19 19:01:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ad518cf51907bc8ca22f7a1354a4250 (11 x GuLoader, 2 x RemcosRAT)
ssdeep 3072:XFJxX7lKkqt24Im3S93Mw0pFGL7nabx3rTOtC/0SyZAIRW2HH9:XJrKI4s3WOlkw
Threatray 1'651 similar samples on MalwareBazaar
TLSH 57B3C4B6B6BBA975FF5880F0274C93EC81A72E78C4048947DCC6251463F1A72E6607F6
Reporter Libranalysis
Tags:GuLoader


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0ba742f6_by_Libranalysis
Verdict:
No threats detected
Analysis date:
2021-05-19 19:09:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/34ec3406-5860-439d-b302-ec91f01a3220

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/158755/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.9368.4889.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/785300
Signature
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: NanoCore
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 417698 Sample: 0ba742f6_by_Libranalysis Startdate: 19/05/2021 Architecture: WINDOWS Score: 100 33 Potential malicious icon found 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 6 other signatures 2->39 7 0ba742f6_by_Libranalysis.exe 2->7         started        10 dhcpmon.exe 4 2->10         started        process3 signatures4 41 Writes to foreign memory regions 7->41 43 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->43 45 Tries to detect Any.run 7->45 47 2 other signatures 7->47 12 RegAsm.exe 1 18 7->12         started        17 RegAsm.exe 7->17         started        19 conhost.exe 10->19         started        process5 dnsIp6 27 hdgavzxcniopkjhsvcbnxmnzvqaswyiokdseacbu.ydns.eu 188.72.95.7, 1772, 49735, 49736 UKSERVERS-ASUKDedicatedServersHostingandCo-Location Netherlands 12->27 29 hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu 103.232.54.201, 49734, 80 AIMS-MY-NETAIMSDataCentreSdnBhdMY Viet Nam 12->29 31 192.168.2.1 unknown unknown 12->31 23 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 12->23 dropped 25 C:\Program Files (x86)\...\dhcpmon.exe, PE32 12->25 dropped 49 Tries to detect Any.run 12->49 51 Hides threads from debuggers 12->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->53 21 conhost.exe 12->21         started        55 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 17->55 57 Tries to detect virtualization through RDTSC time measurements 17->57 file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/feec98d66a46070620824dadc73263034601ee4fbd6341997b6090693ed8b0c6/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 13:50:38 UTC
AV detection:
19 of 47 (40.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=73wjrvtkiydqmiecjww4omtdandad3spxvrudgl3mcigspwywdda._file
Verdict:
unknown
Similar samples:
0089a67b8891a809e2c7699b1d97e0d1286756c801aecc20a200a13b049ecb94
GuLoader
17febcec21b3156aec42aea1f3b70e45b0ea57572547b483aeb1614a6d5a4d89
GuLoader
250d4d5045162c39e3c1b9d637e0188089299a04106202afdf1f4826d24e27f4
GuLoader
26429a83373a49db5ad7801f324d8f1ce0aafd687ee405a44cb8d6ebebf65c15
GuLoader
522735989689a96d0e10e926aae941e58a695062254573c5796bb129e4c7703e
GuLoader
55fbd4afb3b387dcab2c4ccb60e2ced461773add94567b99207ccd7faa3ed05f
GuLoader
96beaff70c51e04f38db0943eddd24ecc142ef2815d536b82655e25fbf5a54db
GuLoader
9e3fdcc393fc96ce693041533b4ecc9e43d57ad1bca40c99d07713dc90d39bd4
GuLoader
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
GuLoader
cf402201a7df7964444627570fc2e1363ce0818b7765d371d487daae70c4ce29
GuLoader
+ 1'641 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:nanocore downloader evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210519-l25ebs6ehx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks QEMU agent file
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/frank%20nano%20without%20startup_UdEfKhbWc126.bin
:1772
hdgavzxcniopkjhsvcbnxmnzvqaswyiokdseacbu.ydns.eu:1772
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/feec98d66a46070620824dadc73263034601ee4fbd6341997b6090693ed8b0c6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe feec98d66a46070620824dadc73263034601ee4fbd6341997b6090693ed8b0c6

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/158755/
  
URLhaus
https://urlhaus.abuse.ch/url/1255989/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-19 20:07:55 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing