MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24beefbe74ccf89b245d50c7279c83803186566d4be4f89f875e203ec2f4edf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24beefbe74ccf89b245d50c7279c83803186566d4be4f89f875e203ec2f4edf9
SHA3-384 hash: 329b8a1205aa337a619e5d6648c101c8c27647e6339306c2ab288a8dd52a19608708736b73d80d715ef6595b22936c84
SHA1 hash: 937574595a8e68f7a77b95a7f99b530007f9fc5c
MD5 hash: 300ffb3fd65eb4a84a14802828f91e38
humanhash: bacon-green-fillet-uncle
File name:3507071243740008011.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:986'863 bytes
First seen:2024-10-20 15:47:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (563 x GuLoader, 120 x RemcosRAT, 82 x EpsilonStealer)
ssdeep 24576:8HANkRMLHpYc/hipJgn1pRQFPEgAhHjL4kJiMv:8HANkRMLHicJi3o10RHc0aJ
TLSH T14D252208E7E07467C3E58FF8072652577637AC69E5920B870391BFAA3A65740F60E378
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Racco42
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
426
Origin country :
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3507071243740008011.exe
Verdict:
No threats detected
Analysis date:
2024-10-20 15:48:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e3a2bca1-7d4d-4d34-95b8-b67a52730503

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.NSIS.InjectorX-gen.18582.8981.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671525fe5a02f8393c72a1cc
Tags:
injection exploit obfusc
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Delayed reading of the file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed packed packer_detected shell32
Link:
https://www.filescan.io/uploads/671526337f0550dc47f99837/reports/fd426a67-f99c-45d3-babc-f43f3da0af18/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/24beefbe74ccf89b245d50c7279c83803186566d4be4f89f875e203ec2f4edf9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f864e015-0c73-471a-9baf-2b840ec2a369
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1538168
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/24beefbe74ccf89b245d50c7279c83803186566d4be4f89f875e203ec2f4edf9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24beefbe74ccf89b245d50c7279c83803186566d4be4f89f875e203ec2f4edf9/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2024-10-18 16:27:33 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=es7o7ptuzt4jwjc5kddsphedqayymvtnjpsprh4hlyqd5qxu5x4q._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
error
GuLoader
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/241020-s8rlbsyalp/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a2c8d49b-dba5-4fb8-8fde-8657a4ca6a90
Unpacked files
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Link:
https://www.unpac.me/results/0b677c9f-062a-4684-bda9-583f4ccf2d14/
SH256 hash:
24beefbe74ccf89b245d50c7279c83803186566d4be4f89f875e203ec2f4edf9
MD5 hash:
300ffb3fd65eb4a84a14802828f91e38
SHA1 hash:
937574595a8e68f7a77b95a7f99b530007f9fc5c
Link:
https://www.unpac.me/results/0b677c9f-062a-4684-bda9-583f4ccf2d14/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24beefbe74ccf89b245d50c7279c83803186566d4be4f89f875e203ec2f4edf9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 24beefbe74ccf89b245d50c7279c83803186566d4be4f89f875e203ec2f4edf9

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments