MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 396cd643a11eec8640903259beefafd56fb24d9d14d99d8fe5d86c01ff8b2741. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 396cd643a11eec8640903259beefafd56fb24d9d14d99d8fe5d86c01ff8b2741
SHA3-384 hash: b8435649220f78f314007b9ee10db5af0fb3d2b29ee4194d4a54a4f84cc5fd700a6ef70d4a020da31e7b05fc4c0d7f9a
SHA1 hash: c8fd3f3405515e41ea1f743fd3fb406c94d80279
MD5 hash: 18d5e1fbf3769c629a632ba3b1968531
humanhash: beryllium-mockingbird-spring-fanta
File name:PO105212065.bat
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2021-02-02 19:52:32 UTC
Last seen:2021-02-09 15:14:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a3f6fbbf3adb41f40267462777f44b (2 x GuLoader)
ssdeep 1536:bGRDB3QDgky7EXS4f2PSALSqlIabn+fTniBmkTM55+GDBz:baiC71fdlOKnG
Threatray 4'729 similar samples on MalwareBazaar
TLSH 95B3E8A3B282FA86D104C0B15D46C7FC8257FE76CF198A0B71C12B1D7A7AAC09960777
Reporter GovCERT_CH
Tags:GuLoader

Intelligence

File Origin
# of uploads :
10
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO105212065.bat
Verdict:
No threats detected
Analysis date:
2021-02-02 10:18:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/38ca3864-73bb-463a-970e-f136d99f916d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115224/
Detection(s):
Win.Malware.Generic-9829111-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/597173
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/396cd643a11eec8640903259beefafd56fb24d9d14d99d8fe5d86c01ff8b2741/
Threat name:
Win32.Trojan.Mucc
Create hunting rule
Status:
Malicious
First seen:
2021-02-02 05:40:38 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfwnmq5bd3wimqeqgjm3535p2vx3etm5ctmz3d7f3bwad74le5aq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
6f05a4c741ce687b728cad820f1bf2667037ae77a51760a559765195115d0ab9
GuLoader
84f409f8aee0cf253fba68ae4027348449045f7bfb8723ac8fe0336c21c0b0f6
GuLoader
87fdcca436e0e9e220acb51332720668c04460d48d1791368e734c1539bd1f77
GuLoader
9532627f43a3de7b9c4414517f18197a08969adec3c24e1c2f1856e32613d5cd
GuLoader
b584d8b69ef7c3f2689e4cecbec9932b84ca55e03c87b1aa9a9b9f56a1ba6c94
GuLoader
c1ccf8689de88be32890345e454df2f1fa90e1e4033c0f63425001af42f7aef5
GuLoader
d07136d108ff4e1867ba77d46bd6f9e9f83e64566d83b1b7c2099dd0de7fc4a3
GuLoader
dde6436d3e8a969f96e4ccec6904631d562efad960e0e9a6a2a865174750f3d6
GuLoader
edc7cf96821b2ba673f3a1df6c3cb50057cb0637259d2905279aae1630794cf9
GuLoader
ffde5f140ccfa44ed65b3e0e26b53988317a3bb314fae58a94d73ea47e7cb943
GuLoader
+ 4'719 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210202-9rpv1je8h6/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
396cd643a11eec8640903259beefafd56fb24d9d14d99d8fe5d86c01ff8b2741
MD5 hash:
18d5e1fbf3769c629a632ba3b1968531
SHA1 hash:
c8fd3f3405515e41ea1f743fd3fb406c94d80279
Link:
https://www.unpac.me/results/3ff72acc-df24-4126-9ae6-b8563576ff61/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/396cd643a11eec8640903259beefafd56fb24d9d14d99d8fe5d86c01ff8b2741

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 5e8df463008c053a8e172aa9f867ab3c1e5be77044e7fb474c9b88af79f2e1b3

GuLoader

Executable exe 396cd643a11eec8640903259beefafd56fb24d9d14d99d8fe5d86c01ff8b2741

(this sample)

  
Dropped by
MD5 d3dd53cb9c741a9ba9481b7f27502beb
  
Dropped by
SHA256 5e8df463008c053a8e172aa9f867ab3c1e5be77044e7fb474c9b88af79f2e1b3
  
Dropped by
GuLoader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/115224/

Comments