MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18e567faf1360f9188e37a7affa92286972f148814aa92f69b68b894e2648e5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18e567faf1360f9188e37a7affa92286972f148814aa92f69b68b894e2648e5b
SHA3-384 hash: 5f47ec5e8fb6c93cefce6afdd36e146806cec6fa719f89949eb059a010666d0ef9a6fdf6497b4779b9c2b7bda781d9a3
SHA1 hash: 9b85a42192c7936b08abc7ce6325f79cd3f30dbb
MD5 hash: da3b405302f05a2175562bcb3e3ae266
humanhash: echo-network-zebra-mirror
File name:da3b405302f05a2175562bcb3e3ae266
Download: download sample
Signature GuLoader
Create hunting rule
File size:139'264 bytes
First seen:2021-10-15 09:22:18 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:0Em9UjNfLx/LREUl8dubK2/WwC6iI4uv0p7zCtCC65A828oW:0Emq1ldE1guwUuvPL2EdW
Threatray 10'516 similar samples on MalwareBazaar
TLSH T155D3071DB6E1C964FA65BAB3DB7E4224C726FC20DC11412E23DABD090972641F639F39
Reporter zbetcheckin
Tags:GuLoader msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197725/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
netwire
Link:
https://www.filescan.io/uploads/61694875fd35fe780c42a7d5/reports/4f103040-0e24-4bf4-b771-568d407ede26/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/18e567faf1360f9188e37a7affa92286972f148814aa92f69b68b894e2648e5b
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871058
Signature
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 503486 Sample: Cs3PcPy48f Startdate: 15/10/2021 Architecture: WINDOWS Score: 100 19 Found malware configuration 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 GuLoader behavior detected 2->23 25 3 other signatures 2->25 7 msiexec.exe 7 27 2->7         started        10 msiexec.exe 2 2->10         started        process3 file4 17 C:\Windows\Installer\MSICC.tmp, PE32 7->17 dropped 12 MSICC.tmp 7->12         started        process5 signatures6 27 Multi AV Scanner detection for dropped file 12->27 29 Drops executables to the windows directory (C:\Windows) and starts them 12->29 31 Tries to detect Any.run 12->31 33 Hides threads from debuggers 12->33 15 MSICC.tmp 12->15         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18e567faf1360f9188e37a7affa92286972f148814aa92f69b68b894e2648e5b/
Threat name:
Win32.Trojan.Mucc
Create hunting rule
Status:
Malicious
First seen:
2021-10-15 09:23:04 UTC
AV detection:
12 of 44 (27.27%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
GuLoader
479f929625a3e8a8f98256c3a020f5946e0d88fd7e3582e47b63500679d46585
GuLoader
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
GuLoader
522735989689a96d0e10e926aae941e58a695062254573c5796bb129e4c7703e
GuLoader
6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092
GuLoader
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
GuLoader
ab2261ddf24d2524a3ffe99044fac988f6178be9bc78d28cd5db289c414c3a4f
GuLoader
c3ca97abe1f0584928691bf13d02b25a4e20288a2477e466d67000c0bbe04df3
GuLoader
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
GuLoader
deb7f6e76d0d27a58d7eb53380b8f399d81caa842fe188830327b9aad82afdb0
GuLoader
+ 10'506 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/211015-lcfqmabebp/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates connected drives
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Guloader,Cloudeye
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/18e567faf1360f9188e37a7affa92286972f148814aa92f69b68b894e2648e5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:INDICATOR_MSI_EXE2MSI
Create hunting rule
Author:ditekSHen
Description:Detects executables converted to .MSI packages using a free online converter.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Microsoft Software Installer (MSI) msi 18e567faf1360f9188e37a7affa92286972f148814aa92f69b68b894e2648e5b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1680203/
  
URLhaus
https://urlhaus.abuse.ch/url/1680205/
Cape
Cape
https://www.capesandbox.com/analysis/197725/

Comments


Avatar
zbet commented on 2021-10-15 09:22:20 UTC

url : hxxps://www.gsmcommerce.net/nx/t.msi