MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 407da066b56d8c792547a82e039b6d258eba85fe6f7b5dd3656813ca5c2870b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 407da066b56d8c792547a82e039b6d258eba85fe6f7b5dd3656813ca5c2870b3
SHA3-384 hash: 3c969752b32fd083cd3e4babe74824f7688acfff59b77af683b8dbe756054c8e610c95adec4725bdfddd992577a737cf
SHA1 hash: 5c27566f0bff763160bdfc4522a99cb3a4884730
MD5 hash: ed80e4460b3d2e1b818f307bf5a629f7
humanhash: summer-don-stream-india
File name:SKM_Ref_MT103_23-08-2021.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:249'856 bytes
First seen:2021-08-25 17:26:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6923c8ee86140e5fe91a6ff4f0a9d1b8 (2 x GuLoader)
ssdeep 6144:16svF7BBdIuodGBoTdNO0snobD4oFbZBBdIuoMFO6s:16yB0dKxuD4qbB0L6
Threatray 401 similar samples on MalwareBazaar
TLSH T1B9348DF320D76967E523827530EADB3C47423A59D22D1AEAB0D576354AFF3428039B4B
dhash icon d2cec6cae29292a2 (2 x GuLoader)
Reporter Anonymous
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182375/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ea867028-b7cd-4978-80cb-8e35a4d836f6
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839255
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 471686 Sample: SKM_Ref_MT103_23-08-2021.exe Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 8 other signatures 2->46 10 SKM_Ref_MT103_23-08-2021.exe 1 2->10         started        process3 signatures4 56 Tries to detect Any.run 10->56 58 Tries to detect virtualization through RDTSC time measurements 10->58 60 Hides threads from debuggers 10->60 13 SKM_Ref_MT103_23-08-2021.exe 6 10->13         started        process5 dnsIp6 34 onedrive.live.com 13->34 36 nwwrma.am.files.1drv.com 13->36 38 am-files.fe.1drv.com 13->38 62 Modifies the context of a thread in another process (thread injection) 13->62 64 Tries to detect Any.run 13->64 66 Maps a DLL or memory area into another process 13->66 68 3 other signatures 13->68 17 explorer.exe 13->17 injected signatures7 process8 dnsIp9 28 www.bcombshair.com 104.252.75.135, 49735, 80 EGIHOSTINGUS United States 17->28 30 www.cashformyguns.com 209.99.40.222, 49754, 80 CONFLUENCE-NETWORK-INCVG United States 17->30 32 22 other IPs or domains 17->32 48 System process connects to network (likely due to code injection or exploit) 17->48 21 raserver.exe 17->21         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/407da066b56d8c792547a82e039b6d258eba85fe6f7b5dd3656813ca5c2870b3/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 12:57:43 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
17a00793ae886c9cae84cba40332249374010e64bd168e907d9a16076479ff29
GuLoader
3707f19a40b8b5196bf6bf35dab58bd6e0b586533f47ee4f803f9f991ec5a77a
GuLoader
5e511d66664d13e1276eb5d08ea2e48e004a614d114f2b35c2a742912694dfd7
GuLoader
6fb77f025210f6eafed61a9216a3d9df986d352a5594f62547990fc0880e6e43
GuLoader
8347dcd8992d73ce59c612f2c59381d084fb88fbf2d30f167e95c8ddd4818dad
GuLoader
89d98c4ec833d8a798f26dd15eda6e7868972d52da8074d756b47f682e9f61e0
GuLoader
afa8c23ac5d9fc6fbe15cd6baf1b64c40efd1c62c9ddefe88329d26551db32f2
GuLoader
be4614de71b42f1015076a3c708c09f911091333bdca1792450eccddc5ab1484
GuLoader
c8bdfc9eea22464897b3dae7829464348f27a1ff1989cf33d1de95bc0a99527f
GuLoader
f060225054513f81f7600706174134f5bed19ede10f3134f59514542305c7f2b
GuLoader
+ 391 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210825-jwvhbfe2kn/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
407da066b56d8c792547a82e039b6d258eba85fe6f7b5dd3656813ca5c2870b3
MD5 hash:
ed80e4460b3d2e1b818f307bf5a629f7
SHA1 hash:
5c27566f0bff763160bdfc4522a99cb3a4884730
Link:
https://www.unpac.me/results/53265c5d-a3c8-4aff-9e46-3d67953e1cab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/407da066b56d8c792547a82e039b6d258eba85fe6f7b5dd3656813ca5c2870b3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/182375/

Comments