MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12645a97c3a1da224f0d6d4fa36c545e35c0d6e70f9b0104daa3363eb48a9574. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	12645a97c3a1da224f0d6d4fa36c545e35c0d6e70f9b0104daa3363eb48a9574
SHA3-384 hash:	29879684c3cf79b4a96b618377168c283bb28a0ee71eecbfcbaeba290bcf643eef6268520ec4bbc2a23cda28c241ccd2
SHA1 hash:	c92f6b532dd87205b9c696bcfe4244fd7d0ed7b0
MD5 hash:	760f463b1279b98b75fe6aa0417f83a5
humanhash:	carolina-orange-golf-pennsylvania
File name:	760f463b1279b98b75fe6aa0417f83a5.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	253'952 bytes
First seen:	2021-05-25 07:07:25 UTC
Last seen:	2021-05-25 08:06:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	520a2b2972090f05a4082ec73469f4ac (2 x GuLoader)
ssdeep	1536:1Qo+PfbIwF4M0gMgjl2NGAxdtPkVFUr1BnHcCEXGppAIuuEhIMc2b8yMk2+D3XZc:4XbRF4MtnGLdkVE1BHaXGQIuvbc2fc
Threatray	5'510 similar samples on MalwareBazaar
TLSH	8D441E02F751F869D409F470F656CEBE221EBB76611B4E03B6407F1998F0387AEB4A16
Reporter	abuse_ch
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

2

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

SA00667224.xlsx

Verdict:

Malicious activity

Analysis date:

2021-05-25 05:59:22 UTC

Tags:

encrypted opendir trojan exploit CVE-2017-11882 loader

Link:

https://app.any.run/tasks/67a2cbdf-78eb-466a-918e-86d2533f13a8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/161708/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/791497

Signature

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Multi AV Scanner detection for submitted file

Potential malicious icon found

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Detection:

nanocore

Link:

https://mwdb.cert.pl/sample/12645a97c3a1da224f0d6d4fa36c545e35c0d6e70f9b0104daa3363eb48a9574/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cjsfvf6duhncetynnvh2g3culy24bvxhb6nqcbg2um3d5neksv2a._file

Verdict:

unknown

Similar samples:

04b0bed3c67cf8a69f413a4f323055d71e3d0a8fec4a0cd96f3e667541b8e63a

316ae869254da17770f7f1ad79caefefaedb09ae4c76bd9b26e3f58792dd0bf6

51ab426459849264d137a4ff13c7846e4e6a1024981d749de08ff634104784e3

57c19a6393af8083c0479541d3e7ae6bf2342dfcebff8ce7263e23d2681beb76

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339

ab4d24e50b96e4358963a8232d7244c0aaf208cfec8c8d5022871547ed795fc9

bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1

c7a647398282460a21fe3334a15d327c975c23cfdf4e08028c440b04b0404b73

e06424448f76d743640e518b0fec78a025fee0856f6afa507e077e5dcc118e3c

f1ffd3c13b7bd7f498e8b718d46509a14bf571c5783d4281adcfafe13291e1fd

+ 5'500 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/210525-8cgj13tgra/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Guloader,Cloudeye

Malware Config

C2 Extraction:

http://farmersschool.ge/x7_qZfMIt89.bin

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/12645a97c3a1da224f0d6d4fa36c545e35c0d6e70f9b0104daa3363eb48a9574

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 12645a97c3a1da224f0d6d4fa36c545e35c0d6e70f9b0104daa3363eb48a9574

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1281452/

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/161708/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample