MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e7db572ddaf60250fbb8ce46bc1f5de5b35a32fffd3460485ee160a8873bad3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e7db572ddaf60250fbb8ce46bc1f5de5b35a32fffd3460485ee160a8873bad3
SHA3-384 hash: 01e68691b4e4bc1c87966bf28e5089ec52afefafaa69a1ec8fbc1ac7ab6c71a0301492cf26859483e9826987510ae16f
SHA1 hash: 569123053558c04c5775c9dcec01d34dfd14a63c
MD5 hash: 9ad99cc088f351ad7df466e40f1e12b4
humanhash: march-high-mirror-uncle
File name:SecuriteInfo.com.generic.ml.1686.30320
Download: download sample
Signature GuLoader
Create hunting rule
File size:307'856 bytes
First seen:2022-05-07 17:33:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:LYa6VzAkzL7r9r/EDppppppppppppppppppppppppppppp0Y2+hSNT9hmw:LYnlP7r9r/+pppppppppppppppppppp+
Threatray 11'156 similar samples on MalwareBazaar
TLSH T13C64F5C0E98495A1EC19AB306A36CD3556237DFDA874941D29DE3E2B3FFB2D3502A053
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:SUPERORGANISM Defeated
Issuer:SUPERORGANISM Defeated
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-07T12:18:30Z
Valid to:2023-05-07T12:18:30Z
Serial number: 6ece92740ba91a28
Thumbprint Algorithm:SHA256
Thumbprint: 5d6e0b16206d3617c9d30192b4f0e7413dba5c1a5ba5b30bcb0236cca4f457bc
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.generic.ml.1686.30320
Verdict:
Malicious activity
Analysis date:
2022-05-07 17:36:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/63c53f6f-09c1-44f1-ac49-1b21813d7993

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269265/
Detection(s):
SecuriteInfo.com.generic.ml.1686.30320.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16636/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6276ad5ebd5c76586e1c384e/reports/ca9cd7f7-6938-47c1-82c3-576543240569/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36afb3c6-1675-4ae8-bbc5-10bf808fc921
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/989538
Signature
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0e7db572ddaf60250fbb8ce46bc1f5de5b35a32fffd3460485ee160a8873bad3/
Threat name:
Win32.Downloader.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-05-07 17:34:07 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
9 of 26 (34.62%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bz63k4w5v5qckd53rtsgxqpv3zntlizp77jumbef5ylavcdtxljq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
01c182ee03e32e4603c205ae79739a559e1d5eb094a27c6174c8555cad20133c
GuLoader
035fe118d29d14e00b56cf2b88128026c19f19a63df2a40b1408720a6e746f36
GuLoader
24f42aec927ad7e24c314c54b2b70fdab2cb705b216bb2aec243ec6582bdeef4
GuLoader
912f1b1f42229f5dc85e71db8eb2fa4242dae10fe5380a2c033ed7468edf4d89
GuLoader
99ec7c3d98449f130584d01f3dea7e8084df01abae8077ae18900695e2d941cb
GuLoader
ae971526492d43606efd2d0f37ac9b262618a28274887388a7c7f9f095942a81
GuLoader
becb9cb4828f80a3bfebcd18f9e22d4cc275025d09efeec0ce2013d805acb138
GuLoader
e23540742dd2b2813b852d1e8d6ea5ff3ee10063528563fb89587e61e8f7439f
GuLoader
f1bd6adeeb4de478e5697432f1cd289a435e6102702e84f40a0cdf9c638e5184
GuLoader
+ 11'146 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader collection discovery downloader persistence spyware stealer suricata
Link:
https://tria.ge/reports/220507-v5ehpscgf4/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks installed software on the system
Checks QEMU agent file
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Guloader,Cloudeye
suricata: ET MALWARE Generic .bin download from Dotted Quad
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/9dc94a25-031f-4859-9876-13a9f706fc74/
SH256 hash:
0e7db572ddaf60250fbb8ce46bc1f5de5b35a32fffd3460485ee160a8873bad3
MD5 hash:
9ad99cc088f351ad7df466e40f1e12b4
SHA1 hash:
569123053558c04c5775c9dcec01d34dfd14a63c
Detections:
win_cannon_auto
Create hunting rule
Link:
https://www.unpac.me/results/9dc94a25-031f-4859-9876-13a9f706fc74/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e7db572ddaf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e7db572ddaf60250fbb8ce46bc1f5de5b35a32fffd3460485ee160a8873bad3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dridex_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:win_cannon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269265/

Comments