Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dlawt.exe

Overview

General Information

Sample Name:dlawt.exe
Analysis ID:711461
MD5:cf313a27bceba36c7fa863ba1e935676
SHA1:4ff90062880efe58e6e26ded7f166c5786e201db
SHA256:d4fba0fc4c7c1335a5b6be72e575a2a9a400a5fd9b0aed69389d4bba8fac7527
Infos:

Detection

NanoCore, GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected GuLoader
Snort IDS alert for network traffic
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification