MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0557d7be3d3d7b353dd4339e660c177cba1421c61eb8f5ddbd5c66053ea02874. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0557d7be3d3d7b353dd4339e660c177cba1421c61eb8f5ddbd5c66053ea02874
SHA3-384 hash: c7b4a01dd3ed0999d49196f55a8e225953065877f7f3a86a87f844e407e6bb98c608395630caf373b6b9b25cd1c285c6
SHA1 hash: 028f1cfac73f667cf5551ae8d3009dc19c97ce89
MD5 hash: f9911af7dc71c2dc8692d73ef661b6a4
humanhash: lake-finch-sink-equal
File name:komunikat bankowy001.pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:126'976 bytes
First seen:2021-09-29 15:41:56 UTC
Last seen:2021-09-29 17:00:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 71d5a9f33de2f7c250bf122de57cb463 (2 x GuLoader)
ssdeep 1536:WD/fn1kdwiRYhbfXUJj5yL8IEQ2p/FFDWua9dUwypPIlP9L:k1Ji8XUJj5yQIEQY/rDWd9dUwuIJ9
Threatray 5'565 similar samples on MalwareBazaar
TLSH T1CBC307976539682BC573B9F6E314926E120D3CF712D0484A16D4B71FBE23CBA78A7D02
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter abuse_ch
Tags:exe geo GuLoader POL

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
komunikat bankowy001.pdf.exe
Verdict:
No threats detected
Analysis date:
2021-09-29 18:03:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/58328727-005b-46eb-b6da-bf9a0c1533e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193228/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.27026.29884.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec9fb74b-150f-45ba-addc-97255e639f87
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/861331
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: CMSTP Execution Process Creation
Sigma detected: Suspicious Double Extension
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416 Sample: komunikat bankowy001.pdf.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 27 googlehosted.l.googleusercontent.com 2->27 29 drive.google.com 2->29 31 doc-0s-70-docs.googleusercontent.com 2->31 37 Potential malicious icon found 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 13 other signatures 2->43 11 komunikat bankowy001.pdf.exe 2->11         started        signatures3 process4 signatures5 51 Tries to detect Any.run 11->51 53 Hides threads from debuggers 11->53 14 komunikat bankowy001.pdf.exe 6 11->14         started        process6 dnsIp7 33 drive.google.com 142.250.74.110, 443, 49832 GOOGLEUS United States 14->33 35 googlehosted.l.googleusercontent.com 216.58.212.129, 443, 49833 GOOGLEUS United States 14->35 55 Modifies the context of a thread in another process (thread injection) 14->55 57 Tries to detect Any.run 14->57 59 Maps a DLL or memory area into another process 14->59 61 3 other signatures 14->61 18 explorer.exe 14->18 injected signatures8 process9 process10 20 cmstp.exe 18->20         started        signatures11 45 Self deletion via cmd delete 20->45 47 Modifies the context of a thread in another process (thread injection) 20->47 49 Maps a DLL or memory area into another process 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0557d7be3d3d7b353dd4339e660c177cba1421c61eb8f5ddbd5c66053ea02874/
Threat name:
Win32.Trojan.Mucc
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 15:42:09 UTC
AV detection:
12 of 25 (48.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=avl5ppr5hv5tkpougopgmdaxps5biiogd24plxn5lrtakpvafb2a._file
Verdict:
malicious
Similar samples:
2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3
GuLoader
548aefb935e11a84133bd8b3d367d988b9ad2e3bde7f4c0fffcf6a94b529be72
GuLoader
576c45faf084a4f7d282e460ee207cd9a6dc269444701ee211f9aeb7879efc35
GuLoader
73b83d70f24909aea7920a86029b43198979d7e31ab768619371e12fc7399f93
GuLoader
7afa7c7724abb034d3155e1e1fc1fd3f9961e56fd6119428d975d8aaee3070f9
GuLoader
8179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17
GuLoader
99c1a96121410c61014d0115983f43fad64acc77d21914a9fb9e3c6ba262627a
GuLoader
d6857aa5fd52de7b5f61da1d7556c2aa04ca9040fbd399ab797b927fc06aef12
GuLoader
f5502d660f4b1f1110b7ba4fd0eab36ec5b44ff97c12b146a48ff8e38efa4745
GuLoader
+ 5'555 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210929-s5b2gafcb2/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
0557d7be3d3d7b353dd4339e660c177cba1421c61eb8f5ddbd5c66053ea02874
MD5 hash:
f9911af7dc71c2dc8692d73ef661b6a4
SHA1 hash:
028f1cfac73f667cf5551ae8d3009dc19c97ce89
Link:
https://www.unpac.me/results/d38bcefa-7b94-46b0-b82d-136acf944ac4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0557d7be3d3d7b353dd4339e660c177cba1421c61eb8f5ddbd5c66053ea02874

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193228/

Comments