MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ad231fb8cb3ab712bef3aae2c319cdd3d9f085eea7e0d205ca3729a85eb1294. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ad231fb8cb3ab712bef3aae2c319cdd3d9f085eea7e0d205ca3729a85eb1294
SHA3-384 hash: 96c0d8736ddf73ae4a96271f894f0078953617f6cf00d270494dc829999456070d811a3c8728fa892d396b0b4ca643b1
SHA1 hash: 2c8f77a7cd4679970a3617c642fa7b2f628f9a3e
MD5 hash: 67e197ce60aee392b9a6d6c1f0c8273a
humanhash: uniform-aspen-fourteen-zulu
File name:67e197ce_by_Libranalysis
Download: download sample
Signature GuLoader
Create hunting rule
File size:112'352 bytes
First seen:2021-05-19 19:01:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ad518cf51907bc8ca22f7a1354a4250 (11 x GuLoader, 2 x RemcosRAT)
ssdeep 1536:/2+GGBLxWobGcVnSPplzmMkoWHRVYnzksoStC3LhfY:/5BLxZGwSPplD/K30zZtC3LhfY
Threatray 1'545 similar samples on MalwareBazaar
TLSH 5BB3C47ABABBE930FE5880F0274C97F881572E74C955491BECC6294463F1632D6603FA
Reporter Libranalysis
Tags:GuLoader


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
67e197ce_by_Libranalysis
Verdict:
Malicious activity
Analysis date:
2021-05-19 19:43:25 UTC
Tags:
trojan rat remcos keylogger
Link:
https://app.any.run/tasks/710e7817-bfd6-4e8e-b031-e76f8301408e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/158747/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.25231.16724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Creating a process with a hidden window
Running batch commands
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Remcos GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/785318
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Detected Remcos RAT
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Potentially malicious time measurement code found
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 417720 Sample: 67e197ce_by_Libranalysis Startdate: 19/05/2021 Architecture: WINDOWS Score: 100 44 gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu 2->44 52 Multi AV Scanner detection for domain / URL 2->52 54 Potential malicious icon found 2->54 56 Found malware configuration 2->56 58 7 other signatures 2->58 11 67e197ce_by_Libranalysis.exe 2->11         started        14 win.exe 2->14         started        16 win.exe 2->16         started        signatures3 process4 signatures5 68 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->68 70 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->70 72 Tries to detect Any.run 11->72 76 2 other signatures 11->76 18 67e197ce_by_Libranalysis.exe 4 10 11->18         started        74 Hides threads from debuggers 14->74 23 win.exe 6 14->23         started        25 win.exe 6 16->25         started        process6 dnsIp7 46 hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu 103.232.54.201, 49726, 49729, 49731 AIMS-MY-NETAIMSDataCentreSdnBhdMY Viet Nam 18->46 40 C:\Users\user\AppData\Roaming\win.exe, PE32 18->40 dropped 42 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 18->42 dropped 60 Tries to detect Any.run 18->60 62 Hides threads from debuggers 18->62 27 wscript.exe 1 18->27         started        file8 signatures9 process10 process11 29 cmd.exe 1 27->29         started        process12 31 win.exe 29->31         started        34 conhost.exe 29->34         started        signatures13 78 Multi AV Scanner detection for dropped file 31->78 80 Contains functionality to detect hardware virtualization (CPUID execution measurement) 31->80 82 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 31->82 84 4 other signatures 31->84 36 win.exe 2 7 31->36         started        process14 dnsIp15 48 hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu 36->48 50 gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu 188.72.119.8, 2177 M247GB Netherlands 36->50 64 Tries to detect Any.run 36->64 66 Hides threads from debuggers 36->66 signatures16
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1ad231fb8cb3ab712bef3aae2c319cdd3d9f085eea7e0d205ca3729a85eb1294/
Threat name:
Win32.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 13:50:38 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dljdd64mwovxck7phkxcymm43u6z6cc65j7a2ic4unzjvbplckka._file
Verdict:
unknown
Similar samples:
02738721df55077c4a8b8826e7cdd0243003ba4b34cb71f314ad05a29330c9c3
GuLoader
3ee7986c2ffb27457b0e9d270fdd477c953c310503fffc27aed1aa8cc6e8c70d
GuLoader
429a766fbf315ee6e6ec01e3a36cc39a66b14c3c71d2a5de94f5fbd2212367dd
GuLoader
7765b39aa0345fd2af3838a548807c90094ea98d227d625ed742260833643b52
GuLoader
7aac0d666b2552cb06d944ea7c54852070a9434708b221232faff64396b8f70a
GuLoader
86b20b72e5394385d0f51a531923647759f9bc02d048df3c1aad7e26ed773a8b
GuLoader
8f1517666a1f5f7f6d0f38814909251d41de92126c2a7df0626de2fa1ae9ba1f
GuLoader
aa474883fd952e16e13715aa7a698fa8eb0d596fea71d03dfbaa235a1b08aa15
GuLoader
deb7f6e76d0d27a58d7eb53380b8f399d81caa842fe188830327b9aad82afdb0
GuLoader
ed3a8701ae1164a1eec2e06b24ce46f54dd8c19838f7c5f92938cf1156178dca
GuLoader
+ 1'535 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos downloader persistence rat
Link:
https://tria.ge/reports/210519-q9247jf6wn/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/Ose_2021%20remcos_UsrkxBzfYJ78.bin
gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu:2177
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ad231fb8cb3ab712bef3aae2c319cdd3d9f085eea7e0d205ca3729a85eb1294

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 1ad231fb8cb3ab712bef3aae2c319cdd3d9f085eea7e0d205ca3729a85eb1294

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/158747/
  
URLhaus
https://urlhaus.abuse.ch/url/1255988/
  
Delivery method
Distributed via web download

Comments