MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 496fa2a5a6abbc22d6a4c63e31847156d61c240d8e3a793e1b4de46e09827b52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



GuLoader


Vendor detections: 6


Intelligence 6 File information Yara Comments

SHA256 hash: 496fa2a5a6abbc22d6a4c63e31847156d61c240d8e3a793e1b4de46e09827b52
SHA3-384 hash: def151ebda19366be87a9a646d7bac3af1039940f722f0ebbf35f1297ba3f69893e9cfbfa33922c81b4f822619dc9179
SHA1 hash: 395e7683548c8a25c4963e3e3c56b04b76dbf0b7
MD5 hash: 869eae0220a293dcabf4051dd323bbd8
humanhash: potato-blue-bacon-low
File name:SecuriteInfo.com.Variant.Razy.845229.27038.1852
Download: download sample
Signature GuLoader
File size:106'496 bytes
First seen:2021-02-23 10:49:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fb04c04dc9621084e24b4642ca2fed6
ssdeep 1536:Bb7/1JxTzAXah9um4sC0COiM9vuDjb7/1Jx:vzAqnQ0eM9i
Threatray 4'662 similar samples on MalwareBazaar
TLSH F4A3D76BAC9C8486D72C4130D85EA44552A5FD203AE3A69BF040FD39D97A3E1D77833B
Reporter @SecuriteInfoCom
Tags:GuLoader

Intelligence


File Origin
# of uploads :
1
# of downloads :
61
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356590 Sample: SecuriteInfo.com.Variant.Ra... Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 38 Multi AV Scanner detection for domain / URL 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 4 other signatures 2->44 9 SecuriteInfo.com.Variant.Razy.845229.27038.exe 1 2->9         started        12 win.exe 1 2->12         started        process3 signatures4 50 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 9->50 52 Tries to detect virtualization through RDTSC time measurements 9->52 54 Contains functionality to hide a thread from the debugger 9->54 14 SecuriteInfo.com.Variant.Razy.845229.27038.exe 4 10 9->14         started        process5 dnsIp6 32 mtspsmjeli.sch.id 103.150.60.242, 49754, 80 PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID unknown 14->32 28 C:\Users\user\AppData\Roaming\win.exe, PE32 14->28 dropped 30 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 14->30 dropped 34 Tries to detect Any.run 14->34 36 Hides threads from debuggers 14->36 19 wscript.exe 1 14->19         started        file7 signatures8 process9 process10 21 cmd.exe 1 19->21         started        process11 23 win.exe 1 21->23         started        26 conhost.exe 21->26         started        signatures12 46 Multi AV Scanner detection for dropped file 23->46 48 Machine Learning detection for dropped file 23->48
Threat name:
Win32.Trojan.Razy
Status:
Malicious
First seen:
2021-02-23 09:49:36 UTC
AV detection:
21 of 29 (72.41%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
SH256 hash:
496fa2a5a6abbc22d6a4c63e31847156d61c240d8e3a793e1b4de46e09827b52
MD5 hash:
869eae0220a293dcabf4051dd323bbd8
SHA1 hash:
395e7683548c8a25c4963e3e3c56b04b76dbf0b7
Threat name:
Legit
Score:
0.16

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 496fa2a5a6abbc22d6a4c63e31847156d61c240d8e3a793e1b4de46e09827b52

(this sample)

  
Delivery method
Distributed via web download

Comments