MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 448234787d7924280fedbb49f5702f0483ef8046394f8adc14006f3f8b6793b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 448234787d7924280fedbb49f5702f0483ef8046394f8adc14006f3f8b6793b2
SHA3-384 hash: a98d53c383e1bae5b21b190358fb08e1651526555bd88a52466c239f738e32b93b4806954e473d607b8b6961508c4ea8
SHA1 hash: 5ae9b3ac9bdcd5e7dab1c410c045a1d5612f7c35
MD5 hash: ba180bccd6a7bf1e60cfb99a752c7e6d
humanhash: mango-sad-mike-michigan
File name:SecuriteInfo.com.Gen.Variant.Nemesis.11494.10934.27608
Download: download sample
Signature GuLoader
Create hunting rule
File size:546'639 bytes
First seen:2022-10-10 19:46:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ea4df5d94204fc550be1874e1b77ea7 (241 x GuLoader, 29 x RemcosRAT, 17 x VIPKeylogger)
ssdeep 6144:5B+pgUzkmJo/iXl2PfBanorGGJDObbczjS08gwNYVqWrrG/wBoaxL4QXH:5gLaiXBn8GGJyCdraiFb
Threatray 1'588 similar samples on MalwareBazaar
TLSH T151C4B49A933B6FC6C09023FF284034D89173DFB970AAD5E7D98C3A3EE1B4AD05524599
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c85838f0e8f8cc6c (3 x GuLoader)
Reporter SecuriteInfoCom
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318631/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.11494.10934.27608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42345/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/634476b81ddf36bcc3f44853/reports/915386fc-811f-4934-b483-3b184f80c031/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ed9b21b2-29c9-4006-83d7-0df3c95b0fde
Result
Threat name:
GuLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1087202
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/448234787d7924280fedbb49f5702f0483ef8046394f8adc14006f3f8b6793b2/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 15:21:19 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=isbdi6d5pescqd7nxne7k4bpasb67acghfhyvxauabxt7c3hsoza._file
Verdict:
unknown
Similar samples:
595f2ae803f01eba157b6deff4687380346e15609e43cc05b541b527bb7292eb
GuLoader
67012c9555804fbfe82f17ee6d7d09196ed356053e2e778f49a998a4b718d6a6
GuLoader
691b3c73fa3301b9c36de80df0e7aa9d551a87ccc77a04b93786d6f1f5a41969
GuLoader
6e8977c63ed912222192ae6dd049abfa6b3633b1319627e932841d350dfeb1aa
GuLoader
ab2036dc90a503a003ed28e17ed2cf24001848be05580b6246656f88abe01c86
GuLoader
aba19cc38e4985676b27e5a87d4e11c8bdbb8ee25f27b0482512153bb8483f0c
GuLoader
be9fb9f5c528b848b05752124232ff1525b502f082b0b821a562c948a38aed72
GuLoader
d8dd31c9892f465f4638fed1a91de225b04c3fb695dcb2fc0c93111cce584f7a
GuLoader
e99458ebd23933338555907993fb3cbce8dc5a36fb57fd69e43703bdbc0fa340
GuLoader
+ 1'578 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:redline botnet:mrurch discovery downloader infostealer spyware
Link:
https://tria.ge/reports/221010-yhhtdschh6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
RedLine
RedLine payload
Malware Config
C2 Extraction:
23.146.242.135:12896
Unpacked files
SH256 hash:
9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed
MD5 hash:
fc3772787eb239ef4d0399680dcc4343
SHA1 hash:
db2fa99ec967178cd8057a14a428a8439a961a73
Link:
https://www.unpac.me/results/26657860-5d3f-4a1e-9ac2-8e7d0349b07b/
SH256 hash:
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3
MD5 hash:
1b76bca7bef0f515d39f31e3c084f31d
SHA1 hash:
92705562f13db5967e66624286f8291477b7b217
Link:
https://www.unpac.me/results/26657860-5d3f-4a1e-9ac2-8e7d0349b07b/
SH256 hash:
9d1849425597da7e314adb3d6300f6a6cf70aecebdd36276120a4f399a0ca14c
MD5 hash:
e89c979ddf75a064ea3cd8d5cca760f7
SHA1 hash:
a6774daf7206644c96411186b09639e5426f0513
Link:
https://www.unpac.me/results/26657860-5d3f-4a1e-9ac2-8e7d0349b07b/
SH256 hash:
448234787d7924280fedbb49f5702f0483ef8046394f8adc14006f3f8b6793b2
MD5 hash:
ba180bccd6a7bf1e60cfb99a752c7e6d
SHA1 hash:
5ae9b3ac9bdcd5e7dab1c410c045a1d5612f7c35
Link:
https://www.unpac.me/results/26657860-5d3f-4a1e-9ac2-8e7d0349b07b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/448234787d7924280fedbb49f5702f0483ef8046394f8adc14006f3f8b6793b2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318631/

Comments