MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0330d6ce24c120c8b37a691bebfe1fc023bda398d26942c2775c1bfb886a6f75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0330d6ce24c120c8b37a691bebfe1fc023bda398d26942c2775c1bfb886a6f75
SHA3-384 hash: a8ee6ca91a454d5c6ee07fa395df28c2c91569f532a35278faac872dce12febc5fa4ac7e08776242d7ee36a43518efd2
SHA1 hash: f0334ffdf9399a3bcd6f6a55f12bb708e7184b64
MD5 hash: 52ecf1eda77735ff792defcaab299e41
humanhash: chicken-kilo-north-diet
File name:SKMBT 23082021 Ref MT103.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:249'856 bytes
First seen:2021-08-24 13:50:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6923c8ee86140e5fe91a6ff4f0a9d1b8 (2 x GuLoader)
ssdeep 6144:T6svF7BBdIuodGBoYsWxSFwoFbZBBdIuoMFO6s:T6yB0dK9sRFwqbB0L6
Threatray 396 similar samples on MalwareBazaar
TLSH T103348DB220DB5C57E52342B520FBDB3847523A1AD56E59EAB0D6B23586FF302813970E
dhash icon d2cec6cae29292a2 (2 x GuLoader)
Reporter Anonymous
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKMBT 23082021 Ref MT103.exe
Verdict:
No threats detected
Analysis date:
2021-08-24 14:00:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e2053947-da59-4646-bc4a-9394172e80e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181934/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.31197.9776.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e0fe836-7fd7-48d6-acea-a9173a6b2ebd
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838336
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 470768 Sample: SKMBT 23082021 Ref MT103.exe Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 29 www.lacasitastaffing.com 2->29 31 www.jeffreyrklugphotography.com 2->31 33 2 other IPs or domains 2->33 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 9 other signatures 2->53 11 SKMBT 23082021 Ref MT103.exe 1 2->11         started        signatures3 process4 signatures5 65 Tries to detect Any.run 11->65 67 Hides threads from debuggers 11->67 14 SKMBT 23082021 Ref MT103.exe 6 11->14         started        process6 dnsIp7 41 192.168.2.1 unknown unknown 14->41 43 onedrive.live.com 14->43 45 2 other IPs or domains 14->45 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Tries to detect Any.run 14->71 73 Maps a DLL or memory area into another process 14->73 75 3 other signatures 14->75 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 35 www.unstuckwithfred.net 74.220.199.6, 49748, 80 UNIFIEDLAYER-AS-1US United States 18->35 37 perfect-retouch.com 81.169.145.86, 49743, 80 STRATOSTRATOAGDE Germany 18->37 39 22 other IPs or domains 18->39 55 System process connects to network (likely due to code injection or exploit) 18->55 57 Uses netstat to query active network connections and open ports 18->57 22 NETSTAT.EXE 18->22         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 22->59 61 Maps a DLL or memory area into another process 22->61 63 Tries to detect virtualization through RDTSC time measurements 22->63 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0330d6ce24c120c8b37a691bebfe1fc023bda398d26942c2775c1bfb886a6f75/
Verdict:
unknown
Similar samples:
17a00793ae886c9cae84cba40332249374010e64bd168e907d9a16076479ff29
GuLoader
3707f19a40b8b5196bf6bf35dab58bd6e0b586533f47ee4f803f9f991ec5a77a
GuLoader
5e511d66664d13e1276eb5d08ea2e48e004a614d114f2b35c2a742912694dfd7
GuLoader
6fb77f025210f6eafed61a9216a3d9df986d352a5594f62547990fc0880e6e43
GuLoader
8653a11ee811265418a3b6f12945c585b77aea72f02b2d80f481c1100d895299
GuLoader
89d98c4ec833d8a798f26dd15eda6e7868972d52da8074d756b47f682e9f61e0
GuLoader
afa8c23ac5d9fc6fbe15cd6baf1b64c40efd1c62c9ddefe88329d26551db32f2
GuLoader
be4614de71b42f1015076a3c708c09f911091333bdca1792450eccddc5ab1484
GuLoader
c8bdfc9eea22464897b3dae7829464348f27a1ff1989cf33d1de95bc0a99527f
GuLoader
f060225054513f81f7600706174134f5bed19ede10f3134f59514542305c7f2b
GuLoader
+ 386 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210824-mj9r7rt2aj/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
0330d6ce24c120c8b37a691bebfe1fc023bda398d26942c2775c1bfb886a6f75
MD5 hash:
52ecf1eda77735ff792defcaab299e41
SHA1 hash:
f0334ffdf9399a3bcd6f6a55f12bb708e7184b64
Link:
https://www.unpac.me/results/b845f229-985d-4538-95aa-a8b508c26abf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/0330d6ce24c120c8b37a691bebfe1fc023bda398d26942c2775c1bfb886a6f75

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/181934/

Comments