MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05c6b84c8c5301bd86d58f8036a46353aa4e8d26003c64363b91451d909b4b4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments 1

SHA256 hash:	05c6b84c8c5301bd86d58f8036a46353aa4e8d26003c64363b91451d909b4b4c
SHA3-384 hash:	ec6c13518d8cc0f18e9877dbd31fdf1a972156c94d71fe64a3beac2f37789ca4aff6277eb2fa48c0e61b6e9d4eec7045
SHA1 hash:	40cb62f0760b7875380c5cf49146698e85f6087a
MD5 hash:	d2a06a7386680bc248d79c2974f9b0cf
humanhash:	glucose-zebra-carolina-zebra
File name:	d2a06a7386680bc248d79c2974f9b0cf
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	403'784 bytes
First seen:	2023-06-08 12:21:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e9c0657252137ac61c1eeeba4c021000 (55 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep	6144:26dANzV+OT7cG6I3iLV6COt4gVVvrCbZwRyxiin5YSU9snMl2ZLQ1o:EP+OTQ7I3iLwJVVrCbb75lMOLz
Threatray	511 similar samples on MalwareBazaar
TLSH	T13F84F13A376DC52FF14916B16DA3834973B0AEC03DE44743B7673B2C997934299C229A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	zbetcheckin
Tags:	32 exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-09-02T00:36:05Z
Valid to:	2025-09-01T00:36:05Z
Serial number:	581898dc121b16846fbfa2387db7c24dde376672
Thumbprint Algorithm:	SHA256
Thumbprint:	5d409be77fa4d7b44aa4208663700e070929507cbd54b4dba9835f1a112a2b8d
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

264

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f5879c1be334d16e12d50db0fd3c233f

Verdict:

Malicious activity

Analysis date:

2023-06-08 09:16:26 UTC

Tags:

exploit cve-2017-11882 opendir loader

Link:

https://app.any.run/tasks/c2d4d7de-a221-40bf-9d0f-86d66f612934

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/396958/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67413949.4919.8989.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file

Creating a file in the %temp% subdirectories

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/89958/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

buer lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6481c7eaac63cac41b536abe/reports/d74c6ffa-9c46-4fd8-84b8-27dcb9aaafe6/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/05c6b84c8c5301bd86d58f8036a46353aa4e8d26003c64363b91451d909b4b4c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e0f4e205-e70e-49f6-97c0-7ecc229ae8e3

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1251232

Signature

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/05c6b84c8c5301bd86d58f8036a46353aa4e8d26003c64363b91451d909b4b4c/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2023-06-06 15:30:52 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 37 (56.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=axdlqtemkma33bwvr6adnjddkove5djgaa6ginr3sfcr3ee3jnga._file

Verdict:

malicious

Label(s):

cloudeye

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/230608-pjwl7sfh71/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Loads dropped DLL

Guloader,Cloudeye

Unpacked files

SH256 hash:

ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

MD5 hash:

0063d48afe5a0cdc02833145667b6641

SHA1 hash:

e7eb614805d183ecb1127c62decb1a6be1b4f7a8

Link:

https://www.unpac.me/results/876af42f-e5ff-4dea-b5b4-8aac8da78db3/

Parent samples :

5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
e0fb60da371912c158861c9660632d58e45cfcff12351cc9e03f497f319eb5de
904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a

SH256 hash:

05c6b84c8c5301bd86d58f8036a46353aa4e8d26003c64363b91451d909b4b4c

MD5 hash:

d2a06a7386680bc248d79c2974f9b0cf

SHA1 hash:

40cb62f0760b7875380c5cf49146698e85f6087a

Link:

https://www.unpac.me/results/876af42f-e5ff-4dea-b5b4-8aac8da78db3/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/05c6b84c8c53/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

GuLoader

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/05c6b84c8c5301bd86d58f8036a46353aa4e8d26003c64363b91451d909b4b4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

exe 05c6b84c8c5301bd86d58f8036a46353aa4e8d26003c64363b91451d909b4b4c

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2655673/

Cape

https://www.capesandbox.com/analysis/396958/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-06-08 12:21:13 UTC

url : hxxp://192.3.176.146/311/hkcmd.exe