MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17dddb2e6db0aa7d67c0e63f1129dde91f471fb6c5ce41d1e1574d8403ecd1ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17dddb2e6db0aa7d67c0e63f1129dde91f471fb6c5ce41d1e1574d8403ecd1ad
SHA3-384 hash: ff7b4c79ae016ab9bc09f3d88fb4e40e53cceba54995950536de71eadc0cd590e32a0872b0dec14c5cf0f6e6b40451fe
SHA1 hash: 4b6c5fc8230797fb521083601bd70cd83d8c7d2f
MD5 hash: 789a47d33ce65dad5fd40c1e656cf638
humanhash: double-king-jig-vermont
File name:789a47d33ce65dad5fd40c1e656cf638
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2021-06-21 07:35:12 UTC
Last seen:2021-06-21 10:39:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash afebd4b9a3c7e2a05199a96fc7d3e5d6 (2 x GuLoader)
ssdeep 768:bOBYycoRhQqLpQ5PiRvwgo87goAub5sIE6uN2+JG39BztoLou6THw4tM+y9GFzyB:0zjCoOPiugp3AsQN2RTiku6TQrt9uWp
Threatray 5'279 similar samples on MalwareBazaar
TLSH 18936B22FFA4D891E04689724FA398B11A11FC26E8118D177179BBDD1F347825CE7F1A
Reporter zbetcheckin
Tags:32 exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
789a47d33ce65dad5fd40c1e656cf638
Verdict:
Malicious activity
Analysis date:
2021-06-21 07:43:17 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/6863f499-9768-46ab-b790-8f62759aa5bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167226/
Detection(s):
SecuriteInfo.com.Trojan.PackedENT.227.11354.20283.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3f46802-6c14-463c-86de-d8072be3ae46
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805163
Signature
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/17dddb2e6db0aa7d67c0e63f1129dde91f471fb6c5ce41d1e1574d8403ecd1ad/
Threat name:
Win32.Trojan.Hynamer
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 07:36:17 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7o5wltnwcvh2z6a4y7rcko55epuoh5wyxhedupbk5gyia7m2gwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
049f2bcbaa6d18cf9ee22b12c47ba8578c938d04df6d35a3c4cd3ed81fdcf4ab
GuLoader
0fce851d001cb1a92a7939eb6a9fac428f5fd9750caa9a1981e27fd659c32c03
GuLoader
1bb79d3f58130c38c2d1c54737aaa69bfdf5693cf6177efaac78377020b86ad6
GuLoader
1d500cd661df7071f1ff76b19067cef40b5a0ab4b4a9ac26425dcdbac6eb7e7e
GuLoader
1e6e22400682ee9a9ec02f1742f84efd44978cb6c2d4ef685d04f650f180cfb4
GuLoader
1f108a10b866def65686fcb0e0c10612152288ea1f7a6158e5ada37f26d03265
GuLoader
36ac85986999d60ef2bcf74e50d27daa1bfbf6c4815e6fb5e5dc1547d8dcb8c9
GuLoader
3c0c946bd49128824271aa80cde029b625c3c1ca3ba6df6b3408cccddc02296e
GuLoader
d0b2bc00645de803a4e9df303539995ee8f781631684b04fe67ee7e01bcf9c21
GuLoader
f10508b4bd982e597771e6128fede0b532c42cb799ac495c922940c27a942dbe
GuLoader
+ 5'269 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader downloader rat spyware stealer trojan
Link:
https://tria.ge/reports/210621-2h1y13c8gj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Formbook Payload
Formbook
Guloader,Cloudeye
Malware Config
C2 Extraction:
http://www.yellow-wink.com/nff/
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/36dc31c3-a8c6-4614-a1ac-7632318afe74/
SH256 hash:
17dddb2e6db0aa7d67c0e63f1129dde91f471fb6c5ce41d1e1574d8403ecd1ad
MD5 hash:
789a47d33ce65dad5fd40c1e656cf638
SHA1 hash:
4b6c5fc8230797fb521083601bd70cd83d8c7d2f
Link:
https://www.unpac.me/results/36dc31c3-a8c6-4614-a1ac-7632318afe74/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17dddb2e6db0aa7d67c0e63f1129dde91f471fb6c5ce41d1e1574d8403ecd1ad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 17dddb2e6db0aa7d67c0e63f1129dde91f471fb6c5ce41d1e1574d8403ecd1ad

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1384460/
Cape
Cape
https://www.capesandbox.com/analysis/167226/

Comments