MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3473eba30a8c906099c975e56452188a6fb6449a8923687447fa8d1e1845e323. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	3473eba30a8c906099c975e56452188a6fb6449a8923687447fa8d1e1845e323
SHA3-384 hash:	9b47141bf8fa26802ecbb3ea77d129000e7a3edf0f4418d24d13390e9e73bd0ccb6d03a7fd49ea2c0c2fc7ba4c18e848
SHA1 hash:	00080f4171cd86938a5db429f6ec7af765b2ba06
MD5 hash:	55566e77a0720e167e128b8f7962919e
humanhash:	lima-indigo-pluto-princess
File name:	Demande de commande urgente No E2102468.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	221'184 bytes
First seen:	2021-07-26 12:43:00 UTC
Last seen:	2021-07-26 13:51:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	986283b4a993506f83eb1b2760b4b2b9 (4 x GuLoader)
ssdeep	3072:C/QGOapHKeiejGUPDY9cqEblcnpkp2RwDeq1RKCapJ4Pf:1wH9ilUucqEUKp2ef1R6K
Threatray	6'005 similar samples on MalwareBazaar
TLSH	T12B24173738289901F660BD77041A745E635EB91AA5AD6F1F3206F77EF231492E6B03C2
dhash icon	72e8d4ccf4d4e8f0 (2 x GuLoader)
Reporter	malwarelabnet
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Demande de commande urgente No E2102468.exe

Verdict:

No threats detected

Analysis date:

2021-07-26 15:00:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ca341c81-a878-4c0e-afb5-7b8cfba49292

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/174111/

Detection(s):

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f537cd20-59f1-4760-a90a-58834af94278

Result

Threat name:

GuLoader Lokibot

Detection:

malicious

Classification:

evad.troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/821758

Signature

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

GuLoader behavior detected

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.Mucc

Status:

Malicious

First seen:

2021-07-26 09:05:46 UTC

AV detection:

11 of 28 (39.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=grz6xiykrsigbgojoxswiuqyrjx3mre2rerwq5ch7kgr4gcf4mrq._file

Verdict:

unknown

GuLoader

060500558c754696c0056ec073344071c058d198ea0dba06632f93edb1276624

GuLoader

0a9055100b10ba145a65334aa2b316bc30722cd75539c6dcca168da6263040a6

GuLoader

17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f

GuLoader

4359188e33f22ea7022cb6e57a3870f2613a1c37dbc483475e02b38cde5bfa8e

GuLoader

4c23bde9d70af07e072c01489007afa4ba4c3672b168e2846f5c2b74c4a9c84a

GuLoader

8825d54a98bbf629eac36f5a74a592a78d8463819c0f1e097e48ad5a235b92d9

GuLoader

88478956ea6c8ea5423e2c30e23fbbf893f4ebbcaa3718d407ac418bf9964c0e

GuLoader

8cd14212205658092f91a376a85fb70802200671ea0cbc74b73f1fcaf0f88ddb

GuLoader

e5e0a549727c9af4b170b6181dd1f69f8f5bfd268ef711c27a1687face31f052

GuLoader

+ 5'995 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/210726-qev9w43e6j/

Behaviour

Suspicious use of SetWindowsHookEx

Guloader,Cloudeye

Unpacked files

SH256 hash:

3473eba30a8c906099c975e56452188a6fb6449a8923687447fa8d1e1845e323

MD5 hash:

55566e77a0720e167e128b8f7962919e

SHA1 hash:

00080f4171cd86938a5db429f6ec7af765b2ba06

Link:

https://www.unpac.me/results/c5f80019-e47d-4924-98d5-9a342b9dfdf4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/3473eba30a8c906099c975e56452188a6fb6449a8923687447fa8d1e1845e323

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/174111/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample