MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26c05a01e64bfd4d0bd1d62aa448ad3309c999aca2d87fcbef41ea45cd142633. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26c05a01e64bfd4d0bd1d62aa448ad3309c999aca2d87fcbef41ea45cd142633
SHA3-384 hash: 5f4aae6cbefffe35a9e771d6e491c1480589c706d0a9077d0af147678460bb0a145ee4b84497954d30764965baf396b3
SHA1 hash: 55d19865094d8c37b7aad5d736584f4220f1ff22
MD5 hash: 1f658fd09c37d65db9c4535516f81ebe
humanhash: nuts-glucose-eight-sodium
File name:Bankswitching.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:388'975 bytes
First seen:2023-07-24 14:37:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 6144:zMm4CC4k0viBqKNZMfJRoMDwHF8dRmwuen6XZDK23xFPaIR4dc:zMwxvvGBZeLwHFwpSO23xZaIRYc
Threatray 859 similar samples on MalwareBazaar
TLSH T11E841282FE50D16FC59287B5182288FABFE2AF12AD245F0B73503B4F353E6919C4E651
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 020375d60608ae06 (6 x GuLoader)
Reporter malwarelabnet
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bankswitching.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-24 14:37:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d5cb7865-554a-4b8d-bc9e-91385c1bc72e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/431055/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.7689.22362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/26c05a01e64bfd4d0bd1d62aa448ad3309c999aca2d87fcbef41ea45cd142633
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8ca455d6-b768-44b4-b427-effbf860b9af
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278398
Signature
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1278398 Sample: Bankswitching.exe Startdate: 24/07/2023 Architecture: WINDOWS Score: 100 32 www.yokaiph.store 2->32 34 www.waktugaspoolne3.xyz 2->34 36 22 other IPs or domains 2->36 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 4 other signatures 2->56 10 Bankswitching.exe 2 31 2->10         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\System.dll, PE32 10->30 dropped 68 Tries to detect Any.run 10->68 14 Bankswitching.exe 6 10->14         started        signatures6 process7 dnsIp8 44 googlehosted.l.googleusercontent.com 142.250.184.225, 443, 49863 GOOGLEUS United States 14->44 46 drive.google.com 142.250.185.110, 443, 49862 GOOGLEUS United States 14->46 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Tries to detect Any.run 14->72 74 Maps a DLL or memory area into another process 14->74 76 Queues an APC in another process (thread injection) 14->76 18 RAVCpl64.exe 14->18 injected signatures9 process10 signatures11 48 Sample uses process hollowing technique 18->48 21 cmmon32.exe 13 18->21         started        process12 signatures13 58 Tries to steal Mail credentials (via file / registry access) 21->58 60 Tries to harvest and steal browser information (history, passwords, etc) 21->60 62 Writes to foreign memory regions 21->62 64 3 other signatures 21->64 24 explorer.exe 4 1 21->24 injected 28 firefox.exe 21->28         started        process14 dnsIp15 38 www.yokaiph.store 185.27.134.59, 49902, 49903, 49904 WILDCARD-ASWildcardUKLimitedGB United Kingdom 24->38 40 cvanalysiswithai.com 67.20.76.62, 49892, 49893, 49894 UNIFIEDLAYER-AS-1US United States 24->40 42 12 other IPs or domains 24->42 66 System process connects to network (likely due to code injection or exploit) 24->66 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26c05a01e64bfd4d0bd1d62aa448ad3309c999aca2d87fcbef41ea45cd142633/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 14:17:30 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e3afuapgjp6u2c6r2yvkisfngme4tgnmulmh7s7pihveltiueyzq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
190ab20809cf0e5dee4860df81f3151e95b23f9840f02ab3e9ad2f7cc02f46d5
GuLoader
192cc32d2b512627692171a834ddc243f4d2eb6402b301c6ce4f495c08720f98
GuLoader
353f8ece228306908b2fd556d8668d31c861aac3860c573448c77b3abc94e6b1
GuLoader
4053220e58d30e514ab543a64e3854e7c411bfa084c000172cdfe6d3e8f65875
GuLoader
4a30ba2e0012dd756f7d6fab584e78fe144a306d134921502819330a6978d328
GuLoader
8fdc286a9b7ea65bd8e90e8b413c43e16763c3e1bcef52daedcc97894482bb06
GuLoader
97bd79e26600f552bfb5764aec1606acb63b830b5fefb807d12fe2088854a3cc
GuLoader
c4079f3f904aaaeda007ba7ce93f24d8a47eb749be233eaf87766e12fcada032
GuLoader
c76519bac4cff0206fbdd13fd4f016b7d7fe3607fd0c4b25dde7155765a9b2ae
GuLoader
e99e6625b738c7c270fea262c29bccbd80989649e7b8408036dadce6535f253a
GuLoader
+ 849 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/230724-ry5vjaeg3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
MD5 hash:
6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 hash:
070ea80e2192abc42f358d47b276990b5fa285a9
Link:
https://www.unpac.me/results/65ae4bd2-0257-45e1-ad2c-b345fdd50f59/
SH256 hash:
26c05a01e64bfd4d0bd1d62aa448ad3309c999aca2d87fcbef41ea45cd142633
MD5 hash:
1f658fd09c37d65db9c4535516f81ebe
SHA1 hash:
55d19865094d8c37b7aad5d736584f4220f1ff22
Link:
https://www.unpac.me/results/65ae4bd2-0257-45e1-ad2c-b345fdd50f59/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.79
Link:
https://yomi.yoroi.company/submissions/26c05a01e64bfd4d0bd1d62aa448ad3309c999aca2d87fcbef41ea45cd142633

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/431055/

Comments