MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3af49fce9f6cc25060d3793a775511c4139411304e51ac4c70d4fb1ed7431e35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3af49fce9f6cc25060d3793a775511c4139411304e51ac4c70d4fb1ed7431e35
SHA3-384 hash: 2537bf0ce79d7f24e473df0b08347cdf2a357c45cb1f20186a74c139f46537474b202c85ed6384bc59452c52d7e83ee7
SHA1 hash: e8e62c71c598245af15428024530a738a53d053d
MD5 hash: b5c7e731f4d3d06b42c5b7e48bb39904
humanhash: zebra-april-happy-zebra
File name:b5c7e731f4d3d06b42c5b7e48bb39904.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:73'728 bytes
First seen:2020-09-12 07:35:41 UTC
Last seen:2020-09-12 08:34:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b45394cd099bbcd25d2ff03c50afd92b (1 x GuLoader)
ssdeep 768:GX798NB2aG8ltLR+b8q2kGqvRWaRcfDll4YA0pylc8c78Rlu:1N0T8N+jNtJwSu8cQS
Threatray 7 similar samples on MalwareBazaar
TLSH 13735AB2E054DCB0D953D6FA6F72469C0298EDF82A61D88B3B6C3F1F8E718149C48716
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
http://gbhomehealth.org/main/new_IKWPviGP254.bin
http://gbhomehealth.org/back/new_IKWPviGP254.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58751/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.39798.5712.31258.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file in the %temp% subdirectories
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/464688
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3af49fce9f6cc25060d3793a775511c4139411304e51ac4c70d4fb1ed7431e35/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-09-11 20:26:43 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hl2j7tu7ntbfaygtpe5hoviryqjziejqjzi2ytdq2t5r5v2ddy2q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
11e021f5ccf8e8af0f64a10c1fae6285df671c2ad5a97d30f0d888374764128b
GuLoader
1da069d39e2e88c624698760567c4019ca2de990b05c429be843355a0531b51a
GuLoader
4d0dfe01c27dfd2c35464a3f435cfb4cad6e996d6fc407cc8f10fc0b3d0692fe
GuLoader
73c6461867083483568798834d7f557a61696d61d0eae801e95977f2704a5af9
GuLoader
9be235495bd4696901a7e0538b3d96f6996268c67c1b607cdc8e33a794a6a9da
GuLoader
b6da2d04d96152fd010853b3fd0f67ef92af20e81b47a9395617050f11f53b9a
GuLoader
f21872a03fcb62dbac5cd7ea2c92db4595f4a55906d7a91ffa6ce5cae2b84e91
GuLoader
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/200912-ckkdp1ddce/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
newrem.duckdns.org:4229
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/3af49fce9f6cc25060d3793a775511c4139411304e51ac4c70d4fb1ed7431e35

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 3af49fce9f6cc25060d3793a775511c4139411304e51ac4c70d4fb1ed7431e35

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/466884/
Cape
Cape
https://www.capesandbox.com/analysis/58751/
  
URLhaus
https://urlhaus.abuse.ch/url/467114/
  
Delivery method
Distributed via web download

Comments