MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10f957f6ae25382ddca0fc6fbd364f20d6e4cfa2f49728167bc1504cd3be0c46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10f957f6ae25382ddca0fc6fbd364f20d6e4cfa2f49728167bc1504cd3be0c46
SHA3-384 hash: 510ff4c04963a1fad0af39e9e86819a69fdec505744dbd7964b5f6c7fad609685888adce862167e5273ab7d0cd648440
SHA1 hash: 150448888c8e7aaf06a8175d5f3b660265fa1e2a
MD5 hash: 8258714e7bc2ec82e01d0fb19215bec8
humanhash: summer-asparagus-alanine-maine
File name:Wyciag_26_08102045800000190201217926.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:236'904 bytes
First seen:2022-02-09 16:15:10 UTC
Last seen:2022-02-09 17:48:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:KbG7N2kDTHUpouekcFpY6Dl2ebeM1Gg2CzZC6KqNKZV89uv9TDJ/+1GF1jZAPEVd:KbE/HUfoemz2kZn8+uv9JG1G1sExyo
Threatray 1'542 similar samples on MalwareBazaar
TLSH T18F34F150B251DC5AE46305F1FC35E6F11AECAE05D63A8A4727627F4C79F3742243AE0A
File icon (PE):PE icon
dhash icon b270e896ceccd4cc (4 x GuLoader, 1 x AgentTesla)
Reporter Anonymous
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:cholecystocolotomy
Issuer:cholecystocolotomy
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-09T13:22:19Z
Valid to:2023-02-09T13:22:19Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 02be4f5a3dfaee1f7e005390c03af064d2b5248b4830ddb90b4356075e654197
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Wyciag_26_08102045800000190201217926.scr
Verdict:
Malicious activity
Analysis date:
2022-02-09 16:14:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/39fd3763-1bcd-42eb-93d7-e548591aadf5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239714/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.15309.12361.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Creating a window
Creating a file
DNS request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6540/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6203e8cdc649d4049451b94b/reports/27952a34-26b1-43c8-850c-4869fd119a8b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a503b88f-0cd4-48ac-a660-5c8c8138fb1e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/937087
Signature
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 569577 Sample: Wyciag_26_08102045800000190... Startdate: 09/02/2022 Architecture: WINDOWS Score: 48 22 Sigma detected: Suspicious Svchost Process 2->22 6 Wyciag_26_08102045800000190201217926.exe 24 2->6         started        10 explorer.exe 2->10         started        process3 file4 16 C:\Users\user\AppData\Local\...\vbsedit32.dll, PE32 6->16 dropped 18 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 6->18 dropped 20 C:\Users\user\AppData\Local\...\System.dll, PE32 6->20 dropped 24 Tries to detect virtualization through RDTSC time measurements 6->24 12 explorer.exe 6->12         started        14 svchost.exe 10->14         started        signatures5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10f957f6ae25382ddca0fc6fbd364f20d6e4cfa2f49728167bc1504cd3be0c46/
Threat name:
Win32.Trojan.Shelsy
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 16:16:11 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cd4vp5voeu4c3xfa7rx32nspedlojt5c6slsqft3yfiezu56brda._file
Verdict:
suspicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
00caa54a646237cf00f305613cdd9e0e8dd8e4dcd9706bbdfc71e22f6e673683
GuLoader
39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5
GuLoader
4959de8067a62478d5192edb0c7822484ea3f75c643100b4c73b0165eadd8911
GuLoader
7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
GuLoader
7916f9aeaf36a8fec95e5a5cb7372f509e6597d3b8648a636b425f382e6993f8
GuLoader
c5072b4120ac9daa3dc0e000cce9e6d6e3a1ca01fed779e0b43d877a744409cd
GuLoader
c5c0fbca778f53dc085d84ad3f038e4a20bce7add5f07012594194bc3bca522a
GuLoader
+ 1'532 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220209-tqthmsbagm/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/b07e2184-0b71-43a3-8b90-4cd09e5daab7/
SH256 hash:
0b2277d8aaf36e01aca3ae33e227b44bebc541a9c5cef6eb4fef93e96821a6cd
MD5 hash:
b1ba7a8263281244782ca5604876cb2c
SHA1 hash:
b8523dee6d7e74512a05c60cc35c0fddac370252
Link:
https://www.unpac.me/results/b07e2184-0b71-43a3-8b90-4cd09e5daab7/
SH256 hash:
10f957f6ae25382ddca0fc6fbd364f20d6e4cfa2f49728167bc1504cd3be0c46
MD5 hash:
8258714e7bc2ec82e01d0fb19215bec8
SHA1 hash:
150448888c8e7aaf06a8175d5f3b660265fa1e2a
Link:
https://www.unpac.me/results/b07e2184-0b71-43a3-8b90-4cd09e5daab7/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/239714/

Comments