MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 024490bf99d2b77dc7943a5932bba385948feb7416fc434992593e72bad4782a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	024490bf99d2b77dc7943a5932bba385948feb7416fc434992593e72bad4782a
SHA3-384 hash:	f4452dba0133ca4c4a56865ebfc1dee05b11971d1e7203ad74477f6fcc273ba77ec382d6c7028443fb5be383127d3485
SHA1 hash:	e52aad204a9e5b6914885fc7325a44a1e088ca28
MD5 hash:	0184924485a5bb35957ca5102af07b50
humanhash:	uranus-november-indigo-robin
File name:	BK8476699_BOOKING.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	476'896 bytes
First seen:	2021-09-09 13:01:43 UTC
Last seen:	2021-09-10 05:07:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	44a3b2717afc04118a3e0594296c9297 (2 x GuLoader)
ssdeep	6144:WZYzEN1GGXyWwGLLVHffBfUfBfInLGGGGGGGGGGGGGGGGGGGGGGGGGGGGzGGGGG5:DzEN9/C6G
Threatray	5'163 similar samples on MalwareBazaar
TLSH	T13CA4B751F479C265D55F7F33EB10E5F50222EC5244F1E90B2688BD6334FA2DEE80AA4A
dhash icon	79f0e2e6b2b2b268 (1 x GuLoader)
Reporter	malwarelabnet
Tags:	exe formbook guloader GuLoader

Intelligence

File Origin

# of uploads :

2

# of downloads :

153

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/186666/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c703ac4b-57f9-46e1-9780-7ad641bc03cc

Result

Threat name:

GuLoader FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/848094

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

GuLoader behavior detected

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected FormBook

Yara detected Generic Dropper

Yara detected GuLoader

Behaviour

Behavior Graph:

Detection:

guloader

Link:

https://mwdb.cert.pl/sample/024490bf99d2b77dc7943a5932bba385948feb7416fc434992593e72bad4782a/

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2021-09-09 02:47:30 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ajcjbp4z2k3x3r4uhjmtfo5dqwki723uc36egsmsle7hfowupava._file

Verdict:

malicious

Label(s):

cloudeye

Similar samples:

27563e3971b4f2baf6bf551323b1538809038aa456d5e0c02dd5e6a902b8f0e6

384ccd374a7b0ad96c05c598a8805af2c0171554a8caa56b383b60f7a847e26f

39de6e1f455747a1e878f070e5b62e306a60bd595d5a1840518cc07972a5c6d1

3ec89e73e39d8f49eb7af879ca10a3b172a155b50cffd2e98dd4826c4284fd49

75591cb23ef20e0a1bc8d01a392621d608b83ee25bcf37b330d3e966d2c8a50b

ddff09f62985a15537bf510e1b95a0e31b5714a498c050671df0325802a7f3e9

e909198f5ca355e38c8459bc7ae2028ee25f849fde5c37714f914b87a94b5182

ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15

+ 5'153 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/210909-p9sm8sgbg4/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Guloader,Cloudeye

Unpacked files

SH256 hash:

49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3

MD5 hash:

1f1b425190b2fb0396ad2d538b1060ba

SHA1 hash:

413f98641d46fdcabfcaf64f29495667de6282ea

Link:

https://www.unpac.me/results/19432def-ace9-4f99-9526-2aae035bfdd6/

SH256 hash:

024490bf99d2b77dc7943a5932bba385948feb7416fc434992593e72bad4782a

MD5 hash:

0184924485a5bb35957ca5102af07b50

SHA1 hash:

e52aad204a9e5b6914885fc7325a44a1e088ca28

Link:

https://www.unpac.me/results/19432def-ace9-4f99-9526-2aae035bfdd6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/024490bf99d2b77dc7943a5932bba385948feb7416fc434992593e72bad4782a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/186666/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample