MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ea4caa07c9f3ed8f82e1f61e73c7487eefb33a57aa1bcdfd41536cf419b5e4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ea4caa07c9f3ed8f82e1f61e73c7487eefb33a57aa1bcdfd41536cf419b5e4b
SHA3-384 hash: 19ad2a3d117da045846c8b7ce45cf38b0060c51be4815f82067b4c64399af69a4fa30d5a2891e015bff3cfe9c378a91c
SHA1 hash: 609ac024ef554a676bedbb3bf120e6b0d50236a6
MD5 hash: da2c57b726e708de165aac71b1d98f7a
humanhash: uncle-magnesium-eight-winter
File name:da2c57b726e708de165aac71b1d98f7a.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:98'304 bytes
First seen:2021-03-03 19:00:16 UTC
Last seen:2021-03-03 20:50:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 05dcbee7bb2d3c59124fc0704fece83d (9 x GuLoader)
ssdeep 1536:Mv4ZN9U83pChPBCrVNTIqoyEgLnudufGsX4aYpTzBZXpuLVjv4ZN9U:VwA+2FuQmXxoJ
Threatray 4'276 similar samples on MalwareBazaar
TLSH F8A3EB16BCBC5487C7674330D41EA5CA0266DF227A20B68B7414F63BD9B93E2567833B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
http://telmed.cl/vp/VK_Remcos%20v2_AxaGIU151.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
da2c57b726e708de165aac71b1d98f7a.exe
Verdict:
No threats detected
Analysis date:
2021-03-03 21:28:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d7c12863-0725-41c3-ad9a-daa4511da7b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122013/
Detection(s):
SecuriteInfo.com.Variant.Midie.79534.18633.7725.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/626957
Signature
Antivirus detection for URL or domain
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 362463 Sample: ysyw6honRO.exe Startdate: 04/03/2021 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for domain / URL 2->36 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 4 other signatures 2->42 9 ysyw6honRO.exe 1 2->9         started        12 win.exe 1 2->12         started        14 win.exe 1 2->14         started        process3 signatures4 48 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 9->48 50 Tries to detect virtualization through RDTSC time measurements 9->50 52 Contains functionality to hide a thread from the debugger 9->52 16 ysyw6honRO.exe 4 10 9->16         started        process5 dnsIp6 34 telmed.cl 190.4.211.181, 49752, 80 CTCCORPSATELEFONICAEMPRESASCL Chile 16->34 30 C:\Users\user\AppData\Roaming\win.exe, PE32 16->30 dropped 32 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 16->32 dropped 44 Tries to detect Any.run 16->44 46 Hides threads from debuggers 16->46 21 wscript.exe 1 16->21         started        file7 signatures8 process9 process10 23 cmd.exe 1 21->23         started        process11 25 win.exe 1 23->25         started        28 conhost.exe 23->28         started        signatures12 54 Multi AV Scanner detection for dropped file 25->54 56 Machine Learning detection for dropped file 25->56
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2ea4caa07c9f3ed8f82e1f61e73c7487eefb33a57aa1bcdfd41536cf419b5e4b/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-03 13:45:19 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2smvid4t47nr6bod5q6opduq7xpwm5fpkq3zx6ucu3m6qm3lzfq._file
Verdict:
unknown
Similar samples:
042e803fd904b4e9d4cc9825409fcbc260c1e128141b31fc8b82fdac860fc9d1
GuLoader
11277dfb2ce8447d4490077fafe8ef942c58918085ebabb679d4bff2f95f3be9
GuLoader
3e6e31b97b51015205df9e5043f01adddd0e5cd8248bac5bb0a7e7d75b5684bf
GuLoader
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
GuLoader
92220a7bfec49f94eb182c7786e97c4f7cfb0c7b2ef30b07bb31a41ddf41b8b7
GuLoader
9be235495bd4696901a7e0538b3d96f6996268c67c1b607cdc8e33a794a6a9da
GuLoader
aecb55705902959e472dc619eb5d2f0129778d5d9cfb1402290acc9f6a4c18f5
GuLoader
ba09c031c8345f685a7da248184f5bdec2007989bbaabe9f299b601c2734541d
GuLoader
c9c16c074eb3842a2bc6dc4b998831a455d87997d194945e377e8855817a36b3
GuLoader
d725785ec3970b75ecb17a7e5ac14d93ce7a54d259dffc74e8222ed8cfb8b6b3
GuLoader
+ 4'266 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210303-cts3jsv542/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/7c363023-615c-4a8e-b04b-c84a905dbf5c/
SH256 hash:
2ea4caa07c9f3ed8f82e1f61e73c7487eefb33a57aa1bcdfd41536cf419b5e4b
MD5 hash:
da2c57b726e708de165aac71b1d98f7a
SHA1 hash:
609ac024ef554a676bedbb3bf120e6b0d50236a6
Link:
https://www.unpac.me/results/7c363023-615c-4a8e-b04b-c84a905dbf5c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/2ea4caa07c9f3ed8f82e1f61e73c7487eefb33a57aa1bcdfd41536cf419b5e4b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 2ea4caa07c9f3ed8f82e1f61e73c7487eefb33a57aa1bcdfd41536cf419b5e4b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1043860/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/122013/

Comments