MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a70f3731b7051eeb948a4af1f7d95b59152c419256098151b65774debc4640e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA 1 File information Comments

SHA256 hash:	3a70f3731b7051eeb948a4af1f7d95b59152c419256098151b65774debc4640e
SHA3-384 hash:	15978e99ec63549885e862264422e7da9586e65b2449c2bd594d5f4a120b47e50993ef07677a1733c5de2b8dd81fafae
SHA1 hash:	1b4897885722031b63685727b71282ebbe500a07
MD5 hash:	e486be08fed5325409c868e2b845127e
humanhash:	california-red-summer-alabama
File name:	PO-TO003256.001
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	149'841 bytes
First seen:	2022-12-18 07:45:21 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	3072:KOIxJbPOWxS9p96URfwgfv3dC6oBjQBIlTGlG6XXV1wMO/:5IvbPB2fvtCREvF1g
TLSH	T161E3126C1C5E1D0BDFC8E38DC0D598F863E9B446506AE8358878D6892C471F60EE98EB
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	001 GuLoader rar

cocaman

Malicious email (T1566.001)
From: "Marc Lemmers Usedcentral.net <mlemmers@usedcentral.net>" (likely spoofed)
Received: "from usedcentral.net (unknown [5.182.37.97]) "
Date: "13 Dec 2022 21:30:10 -0800"
Subject: "PO-TO003256"
Attachment: "PO-TO003256.001"

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

n/a

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	PO-TO003256.exe
File size:	164'800 bytes
SHA256 hash:	449923544b5d76b31a84b7d58cc5cd72d44da67b5fa92f28f5dc603ce066abf0
MD5 hash:	64920935cd3d9e108a5f413db65d0f3b
MIME type:	application/x-dosexec
Signature	GuLoader

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27572.Rar5Heur.UNOFFICIAL

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/3a70f3731b7051eeb948a4af1f7d95b59152c419256098151b65774debc4640e/results/dashboard

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3a70f3731b7051eeb948a4af1f7d95b59152c419256098151b65774debc4640e/

Threat name:

Win32.Trojan.Minix

Status:

Malicious

First seen:

2022-12-14 05:46:23 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hjypg4y3obi65okiusxr67mvwwivfrazevqjqfi3mv3u326emqha._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/221218-jqepdadh71/

Behaviour

Enumerates physical storage devices

Checks installed software on the system

Loads dropped DLL

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.23

Link:

https://yomi.yoroi.company/submissions/3a70f3731b7051eeb948a4af1f7d95b59152c419256098151b65774debc4640e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.