MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15f9bf54d8c4f819663ee61dcae4d24190a518b4cc107077148dd34985c00d70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15f9bf54d8c4f819663ee61dcae4d24190a518b4cc107077148dd34985c00d70
SHA3-384 hash: a8e52cd9526a4ed243252203cfb415780801c6b9a4821b8c06a43547b9609a8c6a9b72ea8dfd7856ea32431d82e5e0a6
SHA1 hash: 68625af172344aa2a66ddeca5cf9affaec40ba5e
MD5 hash: 329726c8b97fe18c99f0834c332493a4
humanhash: wyoming-california-fanta-eight
File name:Swift Copy.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:118'784 bytes
First seen:2021-10-05 12:20:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 461dc836626597933929a467ef09b568 (4 x GuLoader)
ssdeep 1536:J7CHr+jlLXJjHXCmGlOKFAXyER/Colc/SssVCZv3Ghem2YK5brova:JwrCsemAXyiaoGC23Ghex
Threatray 936 similar samples on MalwareBazaar
TLSH T1B8C35C91B2E4DC44F0650A71CAB6C2F887D7FC9DCC52C70B2DA4790EBB7A7445A692E0
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter GovCERT_CH
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift Copy.exe
Verdict:
No threats detected
Analysis date:
2021-10-05 12:26:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c8747336-f381-4970-b9d5-dbe54f52b4c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195015/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.25493.20126.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/615c4331e3d213d202b77e01/reports/1f122458-4a06-47f6-8b74-ed44ca9b422c/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ccc56173-4437-441f-8a0a-247b36aa1e85
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864753
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510 Sample: Swift Copy.exe Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 55 www.decastorebeauty.xyz 2->55 57 x319vaq.yunjidns8.com 2->57 59 59 other IPs or domains 2->59 83 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->83 85 Potential malicious icon found 2->85 87 Found malware configuration 2->87 91 11 other signatures 2->91 11 Swift Copy.exe 2->11         started        signatures3 89 Performs DNS queries to domains with low reputation 55->89 process4 signatures5 123 Tries to detect Any.run 11->123 125 Hides threads from debuggers 11->125 14 Swift Copy.exe 6 11->14         started        process6 dnsIp7 73 googlehosted.l.googleusercontent.com 142.250.185.129, 443, 49769 GOOGLEUS United States 14->73 75 drive.google.com 142.250.74.142, 443, 49768 GOOGLEUS United States 14->75 77 192.168.11.1 unknown unknown 14->77 127 Modifies the context of a thread in another process (thread injection) 14->127 129 Tries to detect Any.run 14->129 131 Maps a DLL or memory area into another process 14->131 133 3 other signatures 14->133 18 explorer.exe 3 6 14->18 injected 23 raserver.exe 1 12 14->23         started        signatures8 process9 dnsIp10 61 connect.shopbase.com 185.33.94.234, 49797, 80 XTOMxTomEU United Kingdom 18->61 63 mademommyproud.com 81.169.145.72, 49800, 80 STRATOSTRATOAGDE Germany 18->63 65 23 other IPs or domains 18->65 53 C:\Users\user\AppData\Local\...\mfcox4.exe, PE32 18->53 dropped 93 System process connects to network (likely due to code injection or exploit) 18->93 95 Benign windows process drops PE files 18->95 25 mfcox4.exe 18->25         started        28 mfcox4.exe 18->28         started        30 mfcox4.exe 18->30         started        36 2 other processes 18->36 97 Creates an undocumented autostart registry key 23->97 99 Tries to steal Mail credentials (via file access) 23->99 101 Self deletion via cmd delete 23->101 103 3 other signatures 23->103 32 cmd.exe 1 23->32         started        34 cmd.exe 23->34         started        file11 signatures12 process13 signatures14 115 Tries to detect Any.run 25->115 117 Hides threads from debuggers 25->117 38 mfcox4.exe 25->38         started        41 mfcox4.exe 6 28->41         started        44 mfcox4.exe 6 30->44         started        46 conhost.exe 32->46         started        119 Modifies the context of a thread in another process (thread injection) 36->119 121 Maps a DLL or memory area into another process 36->121 process15 dnsIp16 105 Modifies the context of a thread in another process (thread injection) 38->105 107 Tries to detect Any.run 38->107 109 Maps a DLL or memory area into another process 38->109 48 rundll32.exe 38->48         started        51 autofmt.exe 38->51         started        67 docs.google.com 142.250.203.110, 443, 49793 GOOGLEUS United States 41->67 69 172.217.168.1, 443, 49792, 49794 GOOGLEUS United States 41->69 71 172.217.168.78, 443, 49791, 49804 GOOGLEUS United States 41->71 111 Sample uses process hollowing technique 41->111 113 Hides threads from debuggers 41->113 signatures17 process18 signatures19 79 Modifies the context of a thread in another process (thread injection) 48->79 81 Maps a DLL or memory area into another process 48->81
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/15f9bf54d8c4f819663ee61dcae4d24190a518b4cc107077148dd34985c00d70/
Threat name:
Win32.Trojan.Mucc
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 12:21:07 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cx436vgyyt4bszr64yo4vzgsigikkgfuzqiha5yurxjutboabvya._file
Verdict:
malicious
Similar samples:
148588102731dd9742cd698c882b48c4b49cbfdd868647a83a15a0cbb1f0c8ca
GuLoader
4faf0330a092329562d8d79c71cb143e22af30b106a24d1ce37721f2af9d6598
GuLoader
5cc027a4132a6238c1c280b1000aef347ba72337e743b086a0bc69d7b5b76e3c
GuLoader
6876aa707adeeffbe08d86d26c6cf48b8d77d46c96f8ace28a523b0a846db38f
GuLoader
7b1f41c2637cb64002e085187d4c5fdecea9153e28207ebab8984473771919f9
GuLoader
9435308eb1024c0e11753dc2412b9243af69d7388817e3aebc59a4a58f2ec372
GuLoader
99b13841abbf0c2bf736ab08e0e7f48cd28cab2e69eff60399de65e0eced2e68
GuLoader
a4d801e88635f298ec71796cafeaf6880547b35be5b8ee18aea59ed85e63ece6
GuLoader
d64217395d8a43cd86ae4f154bcfcb62755241a26e4bfbdd06f049fbbfa38fca
GuLoader
e88388bec3164944678627db062b753e76b6f7f710a9fabc43dfe69e7df2f366
GuLoader
+ 926 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/211005-pjbl2ahfh6/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
15f9bf54d8c4f819663ee61dcae4d24190a518b4cc107077148dd34985c00d70
MD5 hash:
329726c8b97fe18c99f0834c332493a4
SHA1 hash:
68625af172344aa2a66ddeca5cf9affaec40ba5e
Link:
https://www.unpac.me/results/6a30e2fd-ad02-4d23-a4c9-541b048b4d72/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/15f9bf54d8c4f819663ee61dcae4d24190a518b4cc107077148dd34985c00d70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 15f9bf54d8c4f819663ee61dcae4d24190a518b4cc107077148dd34985c00d70

(this sample)

  
Dropped by
guloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/195015/

Comments