MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b54ff609b5ae4eb2d5e32b26ce5446ac83684088785dc51b22bbfccf61e06e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b54ff609b5ae4eb2d5e32b26ce5446ac83684088785dc51b22bbfccf61e06e5
SHA3-384 hash: 81520c39e2e3db8f5b0126ce6a33c9287d27d650ffe91d6d99c2def8a2150636a59d40977e015118d42497a1196f7337
SHA1 hash: 3b65868687cb84c25737ebba99f0f7f2c91c1255
MD5 hash: 405fb8aa2e5c03fabef74abbbf331192
humanhash: autumn-glucose-yellow-triple
File name:405fb8aa2e5c03fabef74abbbf331192.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:87'768 bytes
First seen:2021-05-20 14:32:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 460f9cd83bcc5d612a8fc7838b465d4e (2 x GuLoader)
ssdeep 1536:9ZoWW/JVs1tT7pOalilHY0NgYFSTL52ubQODd:9ZFJ79UlHY+tFSg2R
Threatray 5'214 similar samples on MalwareBazaar
TLSH 36832933A0749271FAD28EF05768996C4E176D7E0F8DD8E730496A192BB1F4197303EA
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/XP_remcos%202021_ogBiNEKs50.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
405fb8aa2e5c03fabef74abbbf331192.exe
Verdict:
Malicious activity
Analysis date:
2021-05-20 15:01:19 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/9e544068-9afd-4b1e-b62c-93f08dbf397e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/159729/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/786297
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 418695 Sample: gYgLemI0Dn.exe Startdate: 20/05/2021 Architecture: WINDOWS Score: 100 40 wedsazxcvfghyuiokjhbnvfcdsaweyplmhbvrtud.ydns.eu 2->40 42 hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu 2->42 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 4 other signatures 2->52 11 gYgLemI0Dn.exe 1 2->11         started        14 win.exe 1 2->14         started        16 win.exe 1 2->16         started        signatures3 process4 signatures5 58 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->58 60 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->60 62 Tries to detect Any.run 11->62 64 Tries to detect virtualization through RDTSC time measurements 11->64 18 gYgLemI0Dn.exe 4 10 11->18         started        66 Sample uses process hollowing technique 14->66 68 Hides threads from debuggers 14->68 process6 dnsIp7 44 hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu 103.232.54.201, 49718, 49721, 49723 AIMS-MY-NETAIMSDataCentreSdnBhdMY Viet Nam 18->44 34 C:\Users\user\AppData\Roaming\win.exe, PE32 18->34 dropped 36 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 18->36 dropped 38 C:\Users\user\AppData\Local\...\install.vbs, data 18->38 dropped 54 Tries to detect Any.run 18->54 56 Hides threads from debuggers 18->56 23 wscript.exe 1 18->23         started        file8 signatures9 process10 process11 25 cmd.exe 1 23->25         started        process12 27 win.exe 1 25->27         started        30 conhost.exe 25->30         started        signatures13 70 Contains functionality to detect hardware virtualization (CPUID execution measurement) 27->70 72 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 27->72 74 Tries to detect Any.run 27->74 76 2 other signatures 27->76 32 win.exe 27->32         started        process14
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0b54ff609b5ae4eb2d5e32b26ce5446ac83684088785dc51b22bbfccf61e06e5/
Threat name:
Win32.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2021-05-20 11:05:00 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bnkp6ye3llsowlk6gkzgzzkenlednbaiq6c5yunsfo74z5q6a3sq._file
Verdict:
unknown
Similar samples:
1de9da3a2c6effe9e9eae16a0d70fc19c633e479073f308a666665b0628e866b
GuLoader
60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5
GuLoader
6670269c08d80b6511029d06dfa07711a5e0bb1494107da5dc9d9d5661f010f3
GuLoader
6e6fa2f1d1b7e3c37b6c7a18a4bd750e6ca980741c87af931c17d2ed7e469c3e
GuLoader
7c38d073b77ff7afc8f65aac812316d0fa9356115f1f3e78aca9fd496d177cad
GuLoader
7e4bb8db363bbb2fdb438b89700166146671fca493247486d678cbff47bec727
GuLoader
9ad452c41af7ed761449a51cca42b89827921f70f564331a4eed7a191c37c325
GuLoader
c2544476ab17fd3fb816a97f08f16548a73c106cca80e1f5e185086d25a9f414
GuLoader
d4d22a42f8307b64ffeeaa26275000213a940c1792231db0911678d7bbb2cfb9
GuLoader
e45b4d0e0b338b2a3875466e875b008043acf8240da0d6caa2ec14d13c02fe41
GuLoader
+ 5'204 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos downloader persistence rat
Link:
https://tria.ge/reports/210520-tkm37bpnqs/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Executes dropped EXE
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/XP_remcos%202021_ogBiNEKs50.bin
wedsazxcvfghyuiokjhbnvfcdsaweyplmhbvrtud.ydns.eu:1996
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b54ff609b5ae4eb2d5e32b26ce5446ac83684088785dc51b22bbfccf61e06e5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 0b54ff609b5ae4eb2d5e32b26ce5446ac83684088785dc51b22bbfccf61e06e5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1257841/
  
URLhaus
https://urlhaus.abuse.ch/url/1255994/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/159729/

Comments