MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36b3f981e048ed45c2e2abe1700ae4472119dd8aa50295cf8ae1abc896e62116. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	36b3f981e048ed45c2e2abe1700ae4472119dd8aa50295cf8ae1abc896e62116
SHA3-384 hash:	86d15bceeda4d4036060732c9f4e69e1e909362fb04ca7938303bcf181224c9f4d5029eb9a69d6bb75e759c0b1daa811
SHA1 hash:	c9f364644abfcb0e7856821503bb9587f6587d01
MD5 hash:	ff3c9b8bea61e71d8bb0e0f04d6d4fdd
humanhash:	yellow-princess-montana-freddie
File name:	SecuriteInfo.com.Gen.Variant.Nemesis.13387.27803.28025
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	350'976 bytes
First seen:	2022-11-03 05:09:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1f23f452093b5c1ff091a2f9fb4fa3e9 (276 x GuLoader, 37 x RemcosRAT, 23 x AgentTesla)
ssdeep	6144:hIw32YBwfcmRerzFCz+a9gY/uJ4vv54q7upQn60VTvoddmTmqAe7jq:JCfczzFCz++u+vvyqvn60tDTmqA
Threatray	129 similar samples on MalwareBazaar
TLSH	T10D74BE929A104565FC2A73B0513E1C253657BF6FA8FBBA4E175871152FF32C2006B92B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	040901091d030313 (1 x GuLoader)
Reporter	SecuriteInfoCom
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-07-13T21:02:28Z
Valid to:	2025-07-12T21:02:28Z
Serial number:	-0daef15e3cd330f6
Thumbprint Algorithm:	SHA256
Thumbprint:	9c03860a06f5c8483276449d6e800de25b32a21c1b6102496bf9ff3c3d4f96fe
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

225

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

guloader

ID:

File name:

SecuriteInfo.com.Gen.Variant.Nemesis.13387.27803.28025

Verdict:

Malicious activity

Analysis date:

2022-11-03 05:12:00 UTC

Tags:

guloader

Link:

https://app.any.run/tasks/3d47ae49-dda0-4b26-9d2c-82ec8d2bfa53

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/327599/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.13387.27803.28025.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file

Delayed reading of the file

Launching a process

Forced system process termination

Creating a file in the %temp% directory

Creating a window

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/47778/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

guloader nemesis overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63634d2b1fb205cdb20b447f/reports/9b3ac011-7f4d-4509-b16b-56fe98c34105/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/9bba500e-786d-4dc0-ab07-3b4195d368c6

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1104045

Signature

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36b3f981e048ed45c2e2abe1700ae4472119dd8aa50295cf8ae1abc896e62116/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2022-11-03 03:44:54 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 41 (41.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g2z7tapajdwulqxcvpqxacxei4qrtxmkuubjlt4k4gv4rfxgeela._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

2f35e754d4ed60b61a7621e22710426b1d1ade21cd31cb4b2d71a88b2a53decc

GuLoader

98e098fe55b289c3e03c0f18a79ed66fc95677b680aa0877bd7b83d8d853bbb9

GuLoader

9f47ed5d4825d6cf54c46856454b381f0a594dfdaa5027af5dc8379df03bcaa8

GuLoader

cbbf5f08eb9fd0467576bf23b709d414ce9e7061b028c29ce08f179af6e60a97

GuLoader

d3a66173013a037b63d6ab4eb79916bb7e32cea117a3a12ed823f1f41ee69ce2

GuLoader

d418b33e0f47d43fcc31e623c7c2b581aa9df51fb47a15414a8bb45b009f813b

GuLoader

ef98f88e2af062e52962b309ec92736c485ce509e6319271cdde46e030455b5b

GuLoader

+ 119 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/221103-ftprzahcak/

Behaviour

Enumerates physical storage devices

Drops file in Windows directory

Checks installed software on the system

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/df57584f-6282-4414-b343-1fd803100f78

Unpacked files

SH256 hash:

f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

MD5 hash:

8b3830b9dbf87f84ddd3b26645fed3a0

SHA1 hash:

223bef1f19e644a610a0877d01eadc9e28299509

Link:

https://www.unpac.me/results/1ea3c3c4-0f41-451a-b6e4-d2c39e2d6419/

SH256 hash:

36b3f981e048ed45c2e2abe1700ae4472119dd8aa50295cf8ae1abc896e62116

MD5 hash:

ff3c9b8bea61e71d8bb0e0f04d6d4fdd

SHA1 hash:

c9f364644abfcb0e7856821503bb9587f6587d01

Link:

https://www.unpac.me/results/1ea3c3c4-0f41-451a-b6e4-d2c39e2d6419/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/36b3f981e048ed45c2e2abe1700ae4472119dd8aa50295cf8ae1abc896e62116

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/327599/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample