MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 257fe290eb9d63d6d55207ac2298db8ec1e76170cc6a00c06a41e242ef24518a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	257fe290eb9d63d6d55207ac2298db8ec1e76170cc6a00c06a41e242ef24518a
SHA3-384 hash:	088be2d1250f2aad0675fe5ab970c84b0cf959eeeb47da63b1acdbe1d99f61efd49a690b3a508e2711ddb815e90c542a
SHA1 hash:	d022cb7fa036b3439ededf8dcf171b36da31e8ff
MD5 hash:	ccbaaaba6fc8a93fa7b30d0ede0fc001
humanhash:	venus-seventeen-fruit-nine
File name:	sky.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	102'400 bytes
First seen:	2020-08-04 12:57:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c0c3ac7427871918bc10738eee458604 (2 x GuLoader)
ssdeep	768:i7cKT/0eOEmH7d1ZlloqkVvvXQ+9xgVwYoFisRv5XwMNnpEgv1x2P/IrF7s6NIK:RUs7ZluLZzFYo8+NpEgvrnm6NI
Threatray	610 similar samples on MalwareBazaar
TLSH	E0A3E55695E80639F177DF71997806E7503D7C3A782E85CB8EF8386E33B2D048624A27
Reporter	James_inthe_box
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38668/

Detection(s):

Win.Dropper.Remcos-9219982-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/409393

Signature

Contains functionality to hide a thread from the debugger

Hides threads from debuggers

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/257fe290eb9d63d6d55207ac2298db8ec1e76170cc6a00c06a41e242ef24518a/

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-08-04 12:57:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ev76fehltvr5nvksa6wcfgg3r3a6oylqzrvabqdkihref3zekgfa._file

Verdict:

malicious

Label(s):

guloader

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200804-wkbjxm417s/

Behaviour

Suspicious use of SetWindowsHookEx

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/257fe290eb9d63d6d55207ac2298db8ec1e76170cc6a00c06a41e242ef24518a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/38668/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample