MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2217f0ae6d8b681ae360e36dd03619b29c17bae98dbca0db4a9723ca0a386d37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	2217f0ae6d8b681ae360e36dd03619b29c17bae98dbca0db4a9723ca0a386d37
SHA3-384 hash:	7b56c51792f732147180483ca343394291eb01f4184553e00729ae40ff7b018840c5ad731fdeeb8a49d0eb805d0d6161
SHA1 hash:	7a1c547f1c38b9fe7b3a651787c863d490d294cc
MD5 hash:	da33aac5f666cb19e32c78e1e8ddfeef
humanhash:	zulu-equal-montana-helium
File name:	BK635636736_BOOKING CONFIRMATION.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	471'040 bytes
First seen:	2021-09-13 13:22:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	01b006fd37878659f6f60ca0efdc2460 (4 x GuLoader)
ssdeep	6144:xqqadRaFlGCfS/GLUCffBfRfBfBG/qFGGGGGGGG0GGGGGGGGGGGGGGGGGGLGGGGR:xdnFMnDeJDFE
Threatray	5'240 similar samples on MalwareBazaar
TLSH	T187A4A551F479C215D55F7F33EB14E5F50222DC6200F1E90B6A88BD6335FA2DEE80AA4A
dhash icon	69f0e2e6b2b2b269 (3 x GuLoader)
Reporter	James_inthe_box
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

1

# of downloads :

133

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

BK635636736_BOOKING CONFIRMATION.exe

Verdict:

No threats detected

Analysis date:

2021-09-13 13:28:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/19064271-920a-4b74-8c78-8643da57179e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/187477/

Detection(s):

Win.Dropper.Mucc-9892792-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/61750234a9d585e6d53709b3/reports/283a80bc-5c3a-4d45-ac32-5853a4331440/overview

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f357dbc7-7e50-4c11-8c38-d7e66e9d8b80

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/849824

Signature

GuLoader behavior detected

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Detection:

guloader

Link:

https://mwdb.cert.pl/sample/2217f0ae6d8b681ae360e36dd03619b29c17bae98dbca0db4a9723ca0a386d37/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eil7bltnrnubvy3a4nw5anqzwkobpoxjrw6kbw2ks4r4ucrynu3q._file

Verdict:

malicious

Label(s):

cloudeye

Similar samples:

15520c752a3375cd92bee021404e10830d4732681be2e50b3d293bcbd3c1e262

27563e3971b4f2baf6bf551323b1538809038aa456d5e0c02dd5e6a902b8f0e6

39de6e1f455747a1e878f070e5b62e306a60bd595d5a1840518cc07972a5c6d1

75591cb23ef20e0a1bc8d01a392621d608b83ee25bcf37b330d3e966d2c8a50b

8682df8104337b21a5ec19279b4f7c51a199e53dbb77b5d5a73ea8eeda545ba0

ae83f208925ec791bd10f37e0cd1bfc98473ea586c4814288a243c7d579c2e55

ced266ad59923661e84dca65e4412e0b99a11fe4868f4219142ebc49a8308fb2

db48dc160b1f48b8939b0d49c5f0bee2a28bc3b340cff62cea8da50424e1afea

e909198f5ca355e38c8459bc7ae2028ee25f849fde5c37714f914b87a94b5182

+ 5'230 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/210913-ql9saadgc4/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Guloader,Cloudeye

Unpacked files

SH256 hash:

49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3

MD5 hash:

1f1b425190b2fb0396ad2d538b1060ba

SHA1 hash:

413f98641d46fdcabfcaf64f29495667de6282ea

Link:

https://www.unpac.me/results/c72a520d-79c7-4f32-bd0d-075bbf3dbce7/

SH256 hash:

2217f0ae6d8b681ae360e36dd03619b29c17bae98dbca0db4a9723ca0a386d37

MD5 hash:

da33aac5f666cb19e32c78e1e8ddfeef

SHA1 hash:

7a1c547f1c38b9fe7b3a651787c863d490d294cc

Link:

https://www.unpac.me/results/c72a520d-79c7-4f32-bd0d-075bbf3dbce7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/2217f0ae6d8b681ae360e36dd03619b29c17bae98dbca0db4a9723ca0a386d37

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/187477/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample