MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b73187bb0bb1bc3f9b112710969da4340b5791d63c6ac0d45f7c2bbf2dfd588. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b73187bb0bb1bc3f9b112710969da4340b5791d63c6ac0d45f7c2bbf2dfd588
SHA3-384 hash: 29dda7a3eff650ad302ed5bf9abd1a6fc5c26cd0268994eedf41a16f74305a9c443c1506a94d5bc14f759a79abb84974
SHA1 hash: b0806ab4ea8a53ab93e028a6eb9a3496c22da859
MD5 hash: cb5dc8065dc38d47971aada093d6eea2
humanhash: wisconsin-spring-muppet-robin
File name:cb5dc806_by_Libranalysis
Download: download sample
Signature GuLoader
Create hunting rule
File size:126'976 bytes
First seen:2021-05-13 12:03:38 UTC
Last seen:2021-05-13 12:53:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f760b809c5b0e6410f619baf65ded14c (1 x GuLoader)
ssdeep 1536:L3Vqn/qCIcc1/fjGarN+PTKkAHq2e2ZkfjR1TqCIcrqnS3:L8nCCE/fjfYTKEvAkfjn+C8nS
Threatray 5'037 similar samples on MalwareBazaar
TLSH 21C36B27A37E4C46DE461F7140AFD898C57B789124394EAB39987C2F0F74792E44AD0B
Reporter Libranalysis
Tags:GuLoader


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cb5dc806_by_Libranalysis
Verdict:
No threats detected
Analysis date:
2021-05-13 12:21:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7664a0cb-c3fa-4848-bcbd-4e7051a0f814

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/156143/
Detection(s):
SecuriteInfo.com.Variant.Barys.5033.17864.23084.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/780980
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 413376 Sample: cb5dc806_by_Libranalysis Startdate: 13/05/2021 Architecture: WINDOWS Score: 100 45 jpfcomputings.nl 2->45 47 KTS666.PUBLICVM.COM 2->47 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected GuLoader 2->71 73 6 other signatures 2->73 9 cb5dc806_by_Libranalysis.exe 1 2 2->9         started        12 wscript.exe 2->12         started        14 wscript.exe 2->14         started        signatures3 process4 signatures5 75 Creates autostart registry keys with suspicious values (likely registry only malware) 9->75 77 Contains functionality to detect hardware virtualization (CPUID execution measurement) 9->77 79 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 9->79 81 4 other signatures 9->81 16 cb5dc806_by_Libranalysis.exe 9 9->16         started        21 flkkserdanseusesc.exe 2 12->21         started        23 flkkserdanseusesc.exe 2 14->23         started        process6 dnsIp7 43 jpfcomputings.nl 217.195.152.28, 443, 49723, 49726 SHOCK-1US Netherlands 16->43 39 C:\Users\user\...\flkkserdanseusesc.exe, PE32 16->39 dropped 41 C:\Users\user\...\flkkserdanseusesc.vbs, ASCII 16->41 dropped 25 WerFault.exe 9 16->25         started        27 WerFault.exe 20 9 16->27         started        29 WerFault.exe 16->29         started        55 Multi AV Scanner detection for dropped file 21->55 57 Machine Learning detection for dropped file 21->57 59 Contains functionality to detect hardware virtualization (CPUID execution measurement) 21->59 65 2 other signatures 21->65 31 flkkserdanseusesc.exe 7 21->31         started        61 Tries to detect Any.run 23->61 63 Hides threads from debuggers 23->63 35 flkkserdanseusesc.exe 23->35         started        file8 signatures9 process10 dnsIp11 49 jpfcomputings.nl 31->49 51 Tries to detect Any.run 31->51 53 Hides threads from debuggers 31->53 37 WerFault.exe 31->37         started        signatures12 process13
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3b73187bb0bb1bc3f9b112710969da4340b5791d63c6ac0d45f7c2bbf2dfd588/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-04-27 15:08:20 UTC
AV detection:
7 of 47 (14.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hnzrq65qxmn4h6nrcjyqs2o2inalk6i5mpdkydkf67blx4w72wea._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
1331627a168114afd060f2e1f87af4c73de8e7960aeb045b3df51b0cd83ee65c
GuLoader
1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703
GuLoader
1db568f6ff72a35878d8772fa11e25a64d2b38447580fba8bdbee9c1b946a621
GuLoader
60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5
GuLoader
647fee1c3bc734439133bd78fe6519ad349501ac7a83e179601950f97fe96e1f
GuLoader
7765b39aa0345fd2af3838a548807c90094ea98d227d625ed742260833643b52
GuLoader
8da926aa551c97f9f4b69843e78e01ab7c2422d5b6490307e5e3ae66c115cf53
GuLoader
e6ae69a007404e1d3dc15350940a8f92750c3af9e4accb76be1cae8aea98804a
GuLoader
e6cd47abf6c7c73449bd05329a0e30a48012c947d8762dd2429333af8d7bc198
GuLoader
e8023299c187748c37d44d26af0165f9429a89fa364bfd243c201252fa78e160
GuLoader
+ 5'027 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210513-lf4vvtwqqe/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Malware Config
C2 Extraction:
https://jpfcomputings.nl/b/bitrratrw_KWQGoLaD112.bin
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/156143/

Comments