MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53fe76b7bdc8d214aa7124cac2cd49e6873c5d91d8fdf7ddf3650fa0d11c2240. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53fe76b7bdc8d214aa7124cac2cd49e6873c5d91d8fdf7ddf3650fa0d11c2240
SHA3-384 hash: 0ab219cc575d39b3490c4d0c13430bc6eecb1dc053866ad56985dd4fe506c7374f66b489bdda052d7f90ec3a1934a7fc
SHA1 hash: ec4d3d4a5a83dd0f08096124bd00ee3a52f024bc
MD5 hash: d5605c1ce11a5d84f4c7169c4862a52b
humanhash: three-muppet-leopard-music
File name:SMC PO 1172 Amt-03.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:692'976 bytes
First seen:2022-08-29 07:19:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f23f452093b5c1ff091a2f9fb4fa3e9 (274 x GuLoader, 36 x RemcosRAT, 23 x AgentTesla)
ssdeep 12288:CJ8o/o5PUYdhVYOI4sfKI44SFSy7w1oqpONe90zO8:CJ8EoRUSa4sfKDVFSy7UoSO/
Threatray 13'944 similar samples on MalwareBazaar
TLSH T110E41260FF43FC57ED2859B288A44CE05B617E63D0E3462B214A3A6DF5323529E2C74B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 3000f8f8c8e8f4b6 (1 x GuLoader)
Reporter cocaman
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Polycarpic fornjelsessygt
Issuer:Polycarpic fornjelsessygt
Algorithm:sha256WithRSAEncryption
Valid from:2022-04-23T14:31:03Z
Valid to:2025-04-22T14:31:03Z
Serial number: 625bb061b4180419
Thumbprint Algorithm:SHA256
Thumbprint: 771f6af6eb5f99c7d98cd0188f64561bbc1ae343984ea8728a6a507574238ef6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SMC PO 1172 Amt-03.exe
Verdict:
Malicious activity
Analysis date:
2022-08-29 07:23:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/42c3fca1-d3cc-4c9e-aa45-486d85732964

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/302066/
Detection(s):
PUA.Win.Packer.Pequake-4
Create hunting rule

SecuriteInfo.com.Malware.Heuristic.1006.8978.2412.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30662/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/630c68ec116a699e028b144f/reports/38d07a8d-98ed-4acc-9aec-513a5678881e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c91aee8-1074-4d57-9345-0faa84570921
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1059579
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53fe76b7bdc8d214aa7124cac2cd49e6873c5d91d8fdf7ddf3650fa0d11c2240/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-08-22 15:40:45 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
18 of 41 (43.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kp7hnn55zdjbjktretfmftkj42dtyxmr3d67pxptmuh2bui4ejaa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
493c63489f594c10e1f5aace2dd833f3fddaac2800d3603498d2b4abe4bd7e0c
GuLoader
69d141096955a35ede46b91e97129df4d8faead0e19c9b0badf180b7b0c8600f
GuLoader
8f9cf775cd2f30283dac9c8441e6787000ba95706d467b5199a00b3aaa213ea5
GuLoader
a1a380c16c8b853cc0b4825af9287430debc0ddaafd5f6ac5633ad6341dfb13c
GuLoader
ab68c3f1654e49a32d6750b88ee3f472fe69aa1691998b2bcb76936d054a215a
GuLoader
bc25deacda2e313aef6e1bc19940cbafdc8e881dd00f5b7f9dd1b57c27fd3795
GuLoader
daf4c0820c45f6be84cf248504e10bfee063ea6fc8de3b397adaa6682e4bb610
GuLoader
e0bf87c8ef8c048b6245ada3bf252c6de8ee83c8b2bcd293929eb83ea21073ba
GuLoader
f404a5d8e7a6622e073a2a596e728cb5be383baa2df71924d116db5ed2fa68ee
GuLoader
f958e4ed4aeeb30bdff566e749d1f0974e8a2d01cd3782eae9134c85f39b4f0f
GuLoader
+ 13'934 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220829-h55zfaegb3/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
123b4ed86b561198296ed367f57c6fa0586cfec008d62545ae826341725cb3d6
MD5 hash:
4f5bd183dc0583ed723fbc0e3d4cb11d
SHA1 hash:
92bcb94bdf15319fa76ee728bd58ec13d4419cd6
Link:
https://www.unpac.me/results/178a4340-3293-43c1-a8ef-55f29fa44fd1/
SH256 hash:
2cd80b8929d76b8c8efee218a693581b6cd55ccf68e30d37bacd44ce6c57d5f3
MD5 hash:
37689533bc39b47b09942e525f79bae2
SHA1 hash:
5aa993e074c72b89e7f4ac180f3e92bf83d90a2b
Link:
https://www.unpac.me/results/178a4340-3293-43c1-a8ef-55f29fa44fd1/
SH256 hash:
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
MD5 hash:
0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 hash:
48df0911f0484cbe2a8cdd5362140b63c41ee457
Link:
https://www.unpac.me/results/178a4340-3293-43c1-a8ef-55f29fa44fd1/
SH256 hash:
53fe76b7bdc8d214aa7124cac2cd49e6873c5d91d8fdf7ddf3650fa0d11c2240
MD5 hash:
d5605c1ce11a5d84f4c7169c4862a52b
SHA1 hash:
ec4d3d4a5a83dd0f08096124bd00ee3a52f024bc
Link:
https://www.unpac.me/results/178a4340-3293-43c1-a8ef-55f29fa44fd1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/53fe76b7bdc8d214aa7124cac2cd49e6873c5d91d8fdf7ddf3650fa0d11c2240

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip f5b253f6f3a634898c32bba6a67e62388d5dc059f6e312011bba4b3d3f01db17

GuLoader

Executable exe 53fe76b7bdc8d214aa7124cac2cd49e6873c5d91d8fdf7ddf3650fa0d11c2240

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/302066/
  
Dropped by
SHA256 f5b253f6f3a634898c32bba6a67e62388d5dc059f6e312011bba4b3d3f01db17
  
Dropped by
MD5 22b8c06dcda0ebcb961580ab836c9b1a

Comments