MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13d51b76a44e31a8f2007d328e91036468fbd1d8c9e8706bffa4c544417b7ef7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13d51b76a44e31a8f2007d328e91036468fbd1d8c9e8706bffa4c544417b7ef7
SHA3-384 hash: 37667b045b131e2dbd311052da9d3c11c3e27426b3ec98011fc9f2c1bbafac2408a66f14f67130cbe0a3ceb2299d3f06
SHA1 hash: 2b47e4e2ae48a21c519f240e89a28d2d8f7d30a4
MD5 hash: 42cff828d126698f6a09338c67067f8f
humanhash: table-sierra-nuts-jersey
File name:SecuriteInfo.com.FileRepMalware.12601.20128
Download: download sample
Signature GuLoader
Create hunting rule
File size:517'816 bytes
First seen:2023-09-18 22:36:11 UTC
Last seen:2023-09-19 16:32:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (287 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 12288:9wc+TUh4R5bOYPzaBtA7jfWcYdYYNUK+cqhPv+AVRUj0DgUDss:9WTUh4fOyEcYdYuTq8GR4yF
Threatray 339 similar samples on MalwareBazaar
TLSH T1D0B402413AD81CE7E86D067355B2EB9A24787C17039658DB63CDB7BB1534B838B0E12E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4968ecccccccc88 (7 x GuLoader)
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-01T08:18:16Z
Valid to:2026-02-28T08:18:16Z
Serial number: 5a0164d0839eebe9f39f7cff7325bb37b2b6a94b
Thumbprint Algorithm:SHA256
Thumbprint: b6a76689a22b71d8b5fbdca771adebf40ffe50519076604b9e035b612e04cc6b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.FileRepMalware.12601.20128
Verdict:
Suspicious activity
Analysis date:
2023-09-18 22:39:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/282e583d-e409-4663-904b-e9bd3b9e93f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/449477/
Detection(s):
SecuriteInfo.com.FileRepMalware.12601.20128.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6508d10f32ffdb7a7a0ad938/reports/81243eb2-6025-419c-bbb9-08e08d3ab202/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/13d51b76a44e31a8f2007d328e91036468fbd1d8c9e8706bffa4c544417b7ef7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/121c4d1b-45a4-419d-8798-ac69f07253eb
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1310391
Signature
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13d51b76a44e31a8f2007d328e91036468fbd1d8c9e8706bffa4c544417b7ef7/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-18 20:35:48 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
17 of 35 (48.57%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cpkrw5vejyy2r4qapuzi5eidmrupxuoyzhuha277utcuiql3p33q._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0694c6c0a52d6281f7ba9acc9de0549be7fd5bdb35e857609fc7adbfcda8c848
GuLoader
1efb08a82cb31f0627287c5b4d31725dec2f9d5062cea032a454a9f1d953df5e
GuLoader
4588c6ac02ddd81f8315af2307ec516f58400c555ecd74944a77964fbdd992c1
GuLoader
684aa993e575c672c0b509eb310ed408ab8fc1000d00a477a2b8912b30ddccf6
GuLoader
8a74737cd563828a070e74b5fa4af0eefc7a98cf8b52fcc0ee5db3c83a2d9cb0
GuLoader
8fdc286a9b7ea65bd8e90e8b413c43e16763c3e1bcef52daedcc97894482bb06
GuLoader
8ff5928d869d66ecf927b108a50d3a2d1077948146f4b161f3d46390ea202591
GuLoader
a65d60a0e83a78f2a7c81f0b867a727dccdaafc47485e7c5196563d9dcfe6328
GuLoader
+ 329 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230918-2jsxjada6w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Unpacked files
SH256 hash:
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
MD5 hash:
b0c77267f13b2f87c084fd86ef51ccfc
SHA1 hash:
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
Link:
https://www.unpac.me/results/bc5c4dee-210d-4cbb-aacd-6979f6e90f71/
SH256 hash:
13d51b76a44e31a8f2007d328e91036468fbd1d8c9e8706bffa4c544417b7ef7
MD5 hash:
42cff828d126698f6a09338c67067f8f
SHA1 hash:
2b47e4e2ae48a21c519f240e89a28d2d8f7d30a4
Link:
https://www.unpac.me/results/bc5c4dee-210d-4cbb-aacd-6979f6e90f71/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/13d51b76a44e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/13d51b76a44e31a8f2007d328e91036468fbd1d8c9e8706bffa4c544417b7ef7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/449477/

Comments