MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 209280cbe0960634238fd3363bf0f311fe8620c7a38ba06e12c23b6614cdc67b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 209280cbe0960634238fd3363bf0f311fe8620c7a38ba06e12c23b6614cdc67b
SHA3-384 hash: 56ddc0c2b124a0c5ea5284a5217293d5b62da5a27fc60c7396c839bc55918e48c51e403f63b5499fcd473b0f6f4b3a62
SHA1 hash: 6523c8255c3793ea3a03cec671fcd18fdef73d37
MD5 hash: ce66c1a1d4e070172bc0c8334b71d990
humanhash: rugby-hydrogen-lima-utah
File name:payment receipt#4630.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:181'600 bytes
First seen:2020-10-16 10:34:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 14e489af52dde72f4ea9cf6e2a39a0af (2 x GuLoader)
ssdeep 1536:g3V+m4+hum0GJ/J6a2kZ801i+g6YCMFJbxtGS1645ZCD8ChZxnmZyNWUfd:g3LsmBJ6aT801hmfTE8ChZxnmgNn
Threatray 900 similar samples on MalwareBazaar
TLSH C5043DA1D395DCBDF84B42F7D43698E50893AF2998F4142E505D72246AB338B13FAD0B
Reporter Racco42
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71908/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Deleting of the original file
Result
Threat name:
Remcos GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
90 / 100
Link:
https://www.joesandbox.com/analysis/493382
Signature
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Detected Remcos RAT
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299140 Sample: payment receipt#4630.exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 90 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 Detected Remcos RAT 2->39 41 9 other signatures 2->41 7 cos.exe 1 2->7         started        10 payment receipt#4630.exe 1 2->10         started        12 cos.exe 1 2->12         started        process3 signatures4 43 Tries to detect Any.run 7->43 45 Tries to detect virtualization through RDTSC time measurements 7->45 47 Hides threads from debuggers 7->47 14 cos.exe 2 10 7->14         started        18 payment receipt#4630.exe 5 11 10->18         started        21 cos.exe 6 12->21         started        process5 dnsIp6 31 recom-40698.portmap.io 193.161.193.99, 40698, 49744 BITREE-ASRU Russian Federation 14->31 49 Detected Remcos RAT 14->49 23 iexplore.exe 14->23         started        33 mscni.org 198.54.116.78, 443, 49728, 49743 NAMECHEAP-NETUS United States 18->33 27 C:\Users\user\AppData\Roaming\Frist\cos.exe, PE32 18->27 dropped 29 C:\Users\user\...\cos.exe:Zone.Identifier, ASCII 18->29 dropped 51 Creates an undocumented autostart registry key 18->51 53 Tries to detect Any.run 18->53 55 Hides threads from debuggers 18->55 25 wscript.exe 18->25         started        file7 signatures8 process9
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/209280cbe0960634238fd3363bf0f311fe8620c7a38ba06e12c23b6614cdc67b/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 10:36:08 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ecjibs7asyddii4p2m3dx4htch7imighuof2a3qsyi5wmfgnyz5q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
guloader
Create hunting rule
Similar samples:
01de61b8b14bb1231ac14968c89b304afa74376e70ce29c7da92259a8a702b60
GuLoader
11e021f5ccf8e8af0f64a10c1fae6285df671c2ad5a97d30f0d888374764128b
GuLoader
4096056536154e1fa5a10e3495cd3ddadf7c01022b7b65b0c35a67b2eac2bc6b
GuLoader
48a1d2d19d917dfd3d1e94cb26198d7841f9263e36c64fa5f4153a9f776de355
GuLoader
54c9967a2b3467f1a5961630d0bd429400e781de19866a383267c40e0f9acf2f
GuLoader
6274c01dd6783517a68267d2c6c2af38143ed35074cfc2372d8bc385a7c5f4e9
GuLoader
92a5e29476cdb43a5d56b2709e98a54e1ef4e4af24d4c136caa8a147014898a6
GuLoader
a32c37dd601a6fcdd6e622b2c928c7ef7935a77a0df9a2dfb9c7774630dd266e
GuLoader
c0b1ba178d886a9d71fb7ffd5b169bf023021e13c545e3cd8d15461221dd2006
GuLoader
e138622ca793f4a546496b40dcf406a83aa667d16fa2a29879d8282a39d6e7ff
GuLoader
+ 890 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/201016-gy9cbp1hbx/
Behaviour
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
recom-40698.portmap.io:40698
Unpacked files
SH256 hash:
209280cbe0960634238fd3363bf0f311fe8620c7a38ba06e12c23b6614cdc67b
MD5 hash:
ce66c1a1d4e070172bc0c8334b71d990
SHA1 hash:
6523c8255c3793ea3a03cec671fcd18fdef73d37
Link:
https://www.unpac.me/results/2ed42452-c81b-4f69-89e4-1622f737f17e/
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/2ed42452-c81b-4f69-89e4-1622f737f17e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/209280cbe0960634238fd3363bf0f311fe8620c7a38ba06e12c23b6614cdc67b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 209280cbe0960634238fd3363bf0f311fe8620c7a38ba06e12c23b6614cdc67b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71908/

Comments