MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e2f8b1c2f4e6ee0cac6fe9dea22e3a1f5bb339136dfda2a2c9168b930e5f070. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e2f8b1c2f4e6ee0cac6fe9dea22e3a1f5bb339136dfda2a2c9168b930e5f070
SHA3-384 hash: c5e0807e720c401b34fa5b8af4699b4412d05b85e1e05e239252fe44e57a6e939dcbc98ac271d188a7a40420aeb4c4bd
SHA1 hash: 0f83c8f5aec74af92959d625dd47a81004183a4b
MD5 hash: 73e6b506f68e76aad8a719386c2fa120
humanhash: floor-uncle-william-echo
File name:RFQ#442525252_March_001.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:163'840 bytes
First seen:2021-03-01 08:57:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c29ba808745aac6939bdc80eb71f478 (4 x GuLoader)
ssdeep 1536:b/8i9s0k44Y7QWyoDaThnOpzfzD2Tf9fxieYUjpEyN3n5laZWl9sRGC:I07QKsnOFbD60eLpD2WQ
Threatray 4'144 similar samples on MalwareBazaar
TLSH AFF384B57240E611F35884B2C37259FB6290AC7587B5DA0FA3CC3D3A3674A96832C6DD
Reporter JAMESWT_WT
Tags:GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ#442525252_March_001.exe
Verdict:
Malicious activity
Analysis date:
2021-03-01 08:56:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9841446e-af38-4d62-bd07-19d1f6a95f66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120187/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/621919
Signature
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e2f8b1c2f4e6ee0cac6fe9dea22e3a1f5bb339136dfda2a2c9168b930e5f070/
Threat name:
Win32.Trojan.Symmi
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 07:43:49 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
9 of 48 (18.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dyxywhbpjzxobswg72o6uixduh23wm4rg3p5ukrmsfulsmhf6bya._file
Verdict:
unknown
Similar samples:
28e01bffab6c9c78d2760e8a5d28ae229b9547930b5ff75c3f1a8d0f68701df2
GuLoader
74defd8809c3c66152c56c0f711d60e7110683784e42df2d80dcf3e30c412f6a
GuLoader
8f16e3a601a2ecbe08bb764289fc0766df7ca8e634f5490d905055be4f827364
GuLoader
9c2e8914a4d3511eaa2f69e6ab33c9ff7d760d4ebfb761b38ed56eed8fe32ddb
GuLoader
b8fb56d3c66d2b6280cf2be3fb58de14e9103989429d78861bd712479424c4f6
GuLoader
ba09c031c8345f685a7da248184f5bdec2007989bbaabe9f299b601c2734541d
GuLoader
bbe69e17d653a71131e0c9fd787429245db67bd8f432b279a85881b2b1cfbf77
GuLoader
be1d469e7f434641202ffde45e666cd4b1d255814f8cbf344a3aff1e78e86768
GuLoader
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
GuLoader
ebc82e867e1280af5cb01ed64745b4a4e5fa48c2ea64557bbaeb7b391e852c2f
GuLoader
+ 4'134 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210301-n9acndx2c6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/9550a8be-4911-45e6-af9e-004a3ae7056c/
SH256 hash:
1e2f8b1c2f4e6ee0cac6fe9dea22e3a1f5bb339136dfda2a2c9168b930e5f070
MD5 hash:
73e6b506f68e76aad8a719386c2fa120
SHA1 hash:
0f83c8f5aec74af92959d625dd47a81004183a4b
Link:
https://www.unpac.me/results/9550a8be-4911-45e6-af9e-004a3ae7056c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1e2f8b1c2f4e6ee0cac6fe9dea22e3a1f5bb339136dfda2a2c9168b930e5f070

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/120187/

Comments