MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 311bf44fb33aa4661e8630fcb2830f22714427133527c1768f0b0ceaad502533. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 311bf44fb33aa4661e8630fcb2830f22714427133527c1768f0b0ceaad502533
SHA3-384 hash: b5f116fc50c5c38e851cb781b0d53a9eb862155f800466504ea46201d27c80b7ebe41b08f6b132a581abafbedaca214a
SHA1 hash: a832f92b9ecaf0f547cecf108c0b3376997b36f6
MD5 hash: 13a2aca4dfe2b980733d2ff00deb1ba3
humanhash: ten-fix-one-michigan
File name:13a2aca4_by_Libranalysis
Download: download sample
Signature GuLoader
Create hunting rule
File size:112'416 bytes
First seen:2021-05-19 19:01:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ad518cf51907bc8ca22f7a1354a4250 (11 x GuLoader, 2 x RemcosRAT)
ssdeep 1536:cKWNfXVjx2GIBZlw67rXa/3TEpoyxu1w6ZTeMw3pDE:cKIjxLIBZlw6mTioOu+ITeF3pDE
Threatray 1'534 similar samples on MalwareBazaar
TLSH 11B3B466B6BBF570FE1880F0270C53A891AB3E78C815494BDCC6291863F167696247FB
Reporter Libranalysis
Tags:GuLoader


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
13a2aca4_by_Libranalysis
Verdict:
Suspicious activity
Analysis date:
2021-05-19 19:32:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/89d45ec9-b011-4b1b-be93-f5e0fd827a3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/158754/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.16053.5748.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/785301
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Potential malicious icon found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/311bf44fb33aa4661e8630fcb2830f22714427133527c1768f0b0ceaad502533/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 13:50:38 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gen7it5thksgmhuggd6lfaypejyuijytgut4c5upbmgovlkqeuzq._file
Verdict:
unknown
Similar samples:
02738721df55077c4a8b8826e7cdd0243003ba4b34cb71f314ad05a29330c9c3
GuLoader
2b63f1488d9a8396513a3dd2ca07b44adee4b1187dc5e6d94934ed6271e76f5d
GuLoader
3016a6fd03e57ee760ab4c79ec8822caa4eda8c24236d7eec230f6ca6f4d785a
GuLoader
34a666042ff3ad45f4e1e37776cc55d4f4fdd1bcd8233852839d55fc076410d1
GuLoader
6670269c08d80b6511029d06dfa07711a5e0bb1494107da5dc9d9d5661f010f3
GuLoader
8d6f73da5150cd26789a9a0e0643f69b520306680523d91cb21438ad2e6fa80c
GuLoader
b0ce84526989dd02968e8ddae780d47de367ece10dbfc9d472893531abd08825
GuLoader
c2544476ab17fd3fb816a97f08f16548a73c106cca80e1f5e185086d25a9f414
GuLoader
d5956571b9e9bc5c925d5b26a0bd0771c636bff202c0adb7d1d9ad6efe487bae
GuLoader
d75c69a49a30595964989b72499ec0e303ff42a0e2a334dda22a9cd9fd7e8ba5
GuLoader
+ 1'524 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210519-4asl32d8js/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Guloader,Cloudeye
Malware Config
C2 Extraction:
http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/malay%20dey%20newfile_qmXqWnvz189.bin
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/311bf44fb33aa4661e8630fcb2830f22714427133527c1768f0b0ceaad502533

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 311bf44fb33aa4661e8630fcb2830f22714427133527c1768f0b0ceaad502533

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/158754/
  
URLhaus
https://urlhaus.abuse.ch/url/1256018/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-19 20:08:17 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing