MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c6bd398f9ee650ad9fd68a74846a169b61fbef689ee6abf8fb68962ccea4041. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	1c6bd398f9ee650ad9fd68a74846a169b61fbef689ee6abf8fb68962ccea4041
SHA3-384 hash:	b34e801effef3f813c869efffcfbd90d99fe5c0175c96daff0aa089c7cab307b67916f07436796a48d8df7b214c1fa4f
SHA1 hash:	908ce86f7b0d52975e9cab72b66189498423914d
MD5 hash:	afbc1dcf9d097f53bff3e0a3554bd514
humanhash:	fillet-crazy-georgia-william
File name:	SecuriteInfo.com.Trojan.GenericKD.63819589.32373.28357
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	390'192 bytes
First seen:	2022-11-24 04:34:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e160ef8e55bb9d162da4e266afd9eef3 (140 x GuLoader, 33 x RemcosRAT, 17 x AgentTesla)
ssdeep	6144:09KOQS4ykl3bwv8o+QwXE4Wtex0herCFcDMCmOGe9/v3d2wsr4GVpYVs408ZdT5F:0s13blXEfspCFcoCfn2r48K08ZdT531
TLSH	T1B484228327F1881FDF43E4F226665A7EEABFD54C15131A1B4B665EE62E21F074C020AD
TrID	92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	b0cf4a4c4c4ccfb0 (31 x Formbook, 20 x RemcosRAT, 18 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Ddbrndt
Issuer:	Ddbrndt
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-05-05T00:37:58Z
Valid to:	2025-05-04T00:37:58Z
Serial number:	33689a418d492d94
Thumbprint Algorithm:	SHA256
Thumbprint:	591e27ab607b76c8b99b1bf982d639f8f8306628bcfd7ba234db290ad354b662
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

336

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

guloader

ID:

File name:

SecuriteInfo.com.Trojan.GenericKD.63819589.32373.28357

Verdict:

Malicious activity

Analysis date:

2022-11-24 04:39:51 UTC

Tags:

installer guloader

Link:

https://app.any.run/tasks/527efc33-ebf7-4141-be9e-5fe38cd24478

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/337916/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.63819589.32373.28357.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file

Searching for the window

Creating a file in the %temp% directory

Delayed reading of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/637ef47f559d07a06f47239f/reports/2266d4cd-bc0d-4a32-a615-6e3d4061720a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d65e3260-c629-4e99-a3cc-5ed8dedc4e89

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

evad.troj

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1120273

Signature

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c6bd398f9ee650ad9fd68a74846a169b61fbef689ee6abf8fb68962ccea4041/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-11-23 05:10:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 41 (26.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=drv5hghz5zsqvwp5nctuqrvbng3b7pxwrhxgvp4pw2ewfthkibaq._file

Verdict:

malicious

Label(s):

formbook

cloudeye

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:h8t0 rat spyware stealer trojan

Link:

https://tria.ge/reports/221124-e7n7xshe58/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Checks QEMU agent file

Loads dropped DLL

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/66ee7561-66a4-4104-9a81-ff3f847c7ed5

Unpacked files

SH256 hash:

b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

MD5 hash:

6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1 hash:

b6ac111dfb0d1fc75ad09c56bde7830232395785

Link:

https://www.unpac.me/results/a7d26d25-4493-446f-9ef3-2e4ef4a3516a/

SH256 hash:

1c6bd398f9ee650ad9fd68a74846a169b61fbef689ee6abf8fb68962ccea4041

MD5 hash:

afbc1dcf9d097f53bff3e0a3554bd514

SHA1 hash:

908ce86f7b0d52975e9cab72b66189498423914d

Link:

https://www.unpac.me/results/a7d26d25-4493-446f-9ef3-2e4ef4a3516a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/1c6bd398f9ee650ad9fd68a74846a169b61fbef689ee6abf8fb68962ccea4041

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/337916/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample