MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 434e6827ed58ffd66a28619822626816559605a4e5d7c7cfe8770d3af043527d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	434e6827ed58ffd66a28619822626816559605a4e5d7c7cfe8770d3af043527d
SHA3-384 hash:	eebb9d257b1a5a8969f527fbe7995694810ad0a69d0d14e1ba46058640f85192ebd1f6dcdb5c2076d379d3e29e9002e3
SHA1 hash:	453f88a44b3966a97fc4005a0b6edf894cdc8d41
MD5 hash:	df2413a552334b77e540bb8c69bf9763
humanhash:	thirteen-maryland-hamper-don
File name:	Shipment Document BLINV and packing list.jpg.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	131'072 bytes
First seen:	2021-09-14 17:32:24 UTC
Last seen:	2021-09-15 07:08:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	44cde914d1969d7de2a52adae7c22460 (2 x GuLoader, 1 x Loki, 1 x Formbook)
ssdeep	3072:LpV80D682nPx+iPyPzpfGAz8XISpwDLdImz:LpV80G8AIaybpfb8X5wlIm
Threatray	5'277 similar samples on MalwareBazaar
TLSH	T143D36C61BE0CF62BE684D4F11262F36085D67C23D2548A177928BBCA943274F7CBDB16
Reporter	James_inthe_box
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Shipment Document BLINV and packing list.jpg.exe

Verdict:

No threats detected

Analysis date:

2021-09-14 17:33:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c1718b69-cb7a-4830-b31f-7d35d41800e5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/187876/

Detection(s):

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/617510e7db358dd15ed922a3/reports/1a5981b9-6cca-4220-b28d-b5e23ed7eaf7/overview

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0b413dfc-de7e-43da-97ba-a05805b5b09f

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

rans.troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/850869

Signature

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

GuLoader behavior detected

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Potential malicious icon found

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

guloader

Link:

https://mwdb.cert.pl/sample/434e6827ed58ffd66a28619822626816559605a4e5d7c7cfe8770d3af043527d/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2021-09-14 15:20:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 45 (42.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=inhgqj7nld75m2rimgmceyticzkzmbne4xl4pt7io4gtv4cdkj6q._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047

GuLoader

9bdb2adacff9530fde8a0b020e84188b0b39995db62ba167608d8e2493bd3ee4

GuLoader

ae83f208925ec791bd10f37e0cd1bfc98473ea586c4814288a243c7d579c2e55

GuLoader

afc7d530c112b47cd33295262f533df60f12568ede477091434381b0d6a2cc8c

GuLoader

bd6cf98ff23cdad2f5bb43bb60e61275d8ad1ad7baeb609aa0a812fc048fede0

GuLoader

c3ca97abe1f0584928691bf13d02b25a4e20288a2477e466d67000c0bbe04df3

GuLoader

db48dc160b1f48b8939b0d49c5f0bee2a28bc3b340cff62cea8da50424e1afea

GuLoader

+ 5'267 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/210914-v4t7rsgag3/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Guloader,Cloudeye

Unpacked files

SH256 hash:

49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3

MD5 hash:

1f1b425190b2fb0396ad2d538b1060ba

SHA1 hash:

413f98641d46fdcabfcaf64f29495667de6282ea

Link:

https://www.unpac.me/results/bc8bb68c-cc66-4eeb-859f-e215a216e675/

SH256 hash:

434e6827ed58ffd66a28619822626816559605a4e5d7c7cfe8770d3af043527d

MD5 hash:

df2413a552334b77e540bb8c69bf9763

SHA1 hash:

453f88a44b3966a97fc4005a0b6edf894cdc8d41

Link:

https://www.unpac.me/results/bc8bb68c-cc66-4eeb-859f-e215a216e675/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/434e6827ed58ffd66a28619822626816559605a4e5d7c7cfe8770d3af043527d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/187876/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample