MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 476bb9c473787445f22e5a80de8a48d0bb273817f0d25bec1c491f6fde8b1770. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 476bb9c473787445f22e5a80de8a48d0bb273817f0d25bec1c491f6fde8b1770
SHA3-384 hash: ead05d5e8f09c6a84c4ea8e6b8355b021d98ce7a50116ca0ad64c5cac299ff6b4bb4dc3f7b62ae490547fe731cf7b42b
SHA1 hash: fa2ce57d7f09cbcb111b016a4cba22aa90177a68
MD5 hash: bb5389e43dc0fc3296caaf3516603155
humanhash: johnny-skylark-chicken-blossom
File name:bb5389e43dc0fc3296caaf3516603155.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:122'880 bytes
First seen:2020-05-26 10:55:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 73ec2b17fe6d13e0337a03d4dc61eedc (1 x GuLoader)
ssdeep 1536:lc7UlK+T1RmavGyPDKsU5jkgQLFZUNAx9O+/BEaxg6XZcxaY:lc7sK+TGYGyLqjb2Y+NxgrX
Threatray 624 similar samples on MalwareBazaar
TLSH 74C3F612B5D49D91FD018DB009639AF74D2BBC391E248F07B388BE4E163B68566F0B5E
Reporter abuse_ch
Tags:AsyncRAT exe GuLoader RAT


Avatar
abuse_ch
GuLoader payload URLs:
https://drive.google.com/uc?export=download&id=1YGTTna5phVrxIO4Xj2UfIubib5FkjaLd
http://plututiso.ug/Host_BOoatbvhE36.bin
http://blockchains.pk/Host_BOoatbvhE36.bin

AsyncRAT payload URL:
http://plututiso.ug/ac.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4987/
Detection(s):
Win.Dropper.NetWire-7899317-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 06:56:49 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 31 (70.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
02598592bee4d0e9a9b20966d8843b3541d7041a7e307b091369f0554e28888b
GuLoader
06d9da2523f02f99abd5192967db5700ad9b1e8356bc5e290d0f449b6a1e70a4
GuLoader
1af39187ccacdf73f47da74611b9fb4582ca0d186cfedb27b557899a5eca6b9d
GuLoader
38a5466ed6bf2ea0c3e206b7ce9520da9c0104fbe0ddc33012ef73087e0c754c
GuLoader
4850ce25c3caf99fc7f558ec6666d08c43d69ed4e1be9a8fd37f289db69561ab
GuLoader
5d0e0a36fee02ee2299dc84c2d1b6e6a2b59f68a6f7ccfe00d213704adbb7df5
GuLoader
70e19ae033d90f86fa356b14a9545c1444ba59d09037bc61f0e3fb9ae92e4386
GuLoader
90dcb385b06592664cb04ab1ac751748aafd8d8f9673547e19c8370bb614acf2
GuLoader
b1fd1e541922f806d521a8a0925822f85060919230b70c7dfdf6eb7c36b02502
GuLoader
f57973fe9b7144fd299f70cc04bcde1e442f6816de323361f1b09cb63c4e41b4
GuLoader
+ 614 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-sast2es4ej/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 476bb9c473787445f22e5a80de8a48d0bb273817f0d25bec1c491f6fde8b1770

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/367551/
  
URLhaus
https://urlhaus.abuse.ch/url/367172/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/4987/

Comments