MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 226a5cd30d41f0f8a4216a8c981c2ccee0a2f06e00135f891f8b5242a9162da2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	226a5cd30d41f0f8a4216a8c981c2ccee0a2f06e00135f891f8b5242a9162da2
SHA3-384 hash:	88d9ef68b9ec500caafc24a268bfcbb28cccd468784e2ccfea451babd46c2d53b735cac4ad7a1e34f40cb233ebf0159b
SHA1 hash:	40281965a6fc65a4a09622f57aadff987d7106f6
MD5 hash:	7288ec09188a119b44bf03cde9c60381
humanhash:	march-angel-bluebird-purple
File name:	SecuriteInfo.com.Trojan.Siggen17.32175.9558.11584
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	362'496 bytes
First seen:	2022-04-03 09:48:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:cYa6Z5tDJg6Jflrzd+SO9pOyrm8je2+MWJ8wg1qt6IC:cY/hLO9p55nRWJ/efI
TLSH	T162742A92B011819AED7725F3AC2F883025D36EAE91B5D20D56E7772A5BF3353005BF0A
File icon (PE):
dhash icon	712a4a25a593a331 (3 x GuLoader, 1 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

298

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/260243/

Detection(s):

SecuriteInfo.com.Trojan.Siggen17.32175.9558.11584.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Creating a file in the Windows directory

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/12432/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/62496d8e9253b276b7d6ffef/reports/4e1aef94-4af0-42ac-990c-7cd5b9951e73/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ec5be387-56ab-42df-8dac-3cc393aa7788

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/969545

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/226a5cd30d41f0f8a4216a8c981c2ccee0a2f06e00135f891f8b5242a9162da2/

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2022-04-03 09:49:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

cloudeye

Result

Malware family:

guloader

Score:

10/10

Tags:

family:formbook family:guloader campaign:eo22 downloader rat spyware stealer trojan

Link:

https://tria.ge/reports/220403-ltbs1ahgg5/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Loads dropped DLL

Formbook Payload

Formbook

Guloader,Cloudeye

Unpacked files

SH256 hash:

226a5cd30d41f0f8a4216a8c981c2ccee0a2f06e00135f891f8b5242a9162da2

MD5 hash:

7288ec09188a119b44bf03cde9c60381

SHA1 hash:

40281965a6fc65a4a09622f57aadff987d7106f6

Link:

https://www.unpac.me/results/e74c5072-81e7-4f04-a6f1-570ba7543498/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/226a5cd30d41f0f8a4216a8c981c2ccee0a2f06e00135f891f8b5242a9162da2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/260243/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample