MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55130719554a0b3dcbf971c646e6e668b663b796f4be09816d405cc15a16d7d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments 1

SHA256 hash:	55130719554a0b3dcbf971c646e6e668b663b796f4be09816d405cc15a16d7d6
SHA3-384 hash:	89df85a4746115df158d7eda382d5b01b12b340fd6ef72fe1af18f5f2ffc32e40cb50f60bfe380fde3e1f7d9a3c1e0e2
SHA1 hash:	992d98aa6f31ae6f8f42fac9866a19c2a2f879be
MD5 hash:	c6db01a5743d408fc4f0c37ba58a281f
humanhash:	kilo-papa-early-yellow
File name:	c6db01a5743d408fc4f0c37ba58a281f
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	174'682 bytes
First seen:	2023-05-11 04:40:01 UTC
Last seen:	2023-05-13 22:48:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e160ef8e55bb9d162da4e266afd9eef3 (140 x GuLoader, 33 x RemcosRAT, 17 x AgentTesla)
ssdeep	3072:EwJ52Y7ZoH5XJaqKz8HIoLmM4jmrn+tt6JnShq3U2IAMJ3hL0yH3w:EwHysqKzL846r+v8noQU2lyvg
Threatray	586 similar samples on MalwareBazaar
TLSH	T1AF0402927AE0982BE947C73105AF6A76F7BFBD0119742ECF6710BF6E39321029556203
TrID	92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	c9d48c8e9acae871 (8 x GuLoader)
Reporter	zbetcheckin
Tags:	32 exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

371

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c6db01a5743d408fc4f0c37ba58a281f

Verdict:

Malicious activity

Analysis date:

2023-05-11 04:42:34 UTC

Tags:

installer

Link:

https://app.any.run/tasks/24c60f5a-f13d-4ec5-b3a6-63d644e68424

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Guloader

Link:

https://www.capesandbox.com/analysis/388314/

Detection(s):

SecuriteInfo.com.NSIS.PWSX-gen.6133.28383.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Delayed reading of the file

Creating a window

Searching for the window

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/645c71a44427eddb118c057f/reports/74223f7d-9657-44d6-b54b-d93196db11a4/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/55130719554a0b3dcbf971c646e6e668b663b796f4be09816d405cc15a16d7d6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/46b75758-cced-406d-a78f-8ba791e66264

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1230508

Signature

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/55130719554a0b3dcbf971c646e6e668b663b796f4be09816d405cc15a16d7d6/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2023-05-10 20:55:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 36 (61.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kujqogkvjift3s7zohdenzxgnc3ghn4w6s7atalnibomcwqw27la._file

Verdict:

malicious

Result

Malware family:

guloader

Score:

10/10

Tags:

family:azorult family:guloader discovery downloader infostealer trojan

Link:

https://tria.ge/reports/230511-fah53sbg35/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks installed software on the system

Checks QEMU agent file

Loads dropped DLL

Azorult

Guloader,Cloudeye

Malware Config

C2 Extraction:

http://bllsl3.shop/dbazo/index.php

Unpacked files

SH256 hash:

55130719554a0b3dcbf971c646e6e668b663b796f4be09816d405cc15a16d7d6

MD5 hash:

c6db01a5743d408fc4f0c37ba58a281f

SHA1 hash:

992d98aa6f31ae6f8f42fac9866a19c2a2f879be

Link:

https://www.unpac.me/results/18e3e21f-9e5b-472a-b426-d3c0674df397/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/55130719554a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.23

Link:

https://yomi.yoroi.company/submissions/55130719554a0b3dcbf971c646e6e668b663b796f4be09816d405cc15a16d7d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

exe 55130719554a0b3dcbf971c646e6e668b663b796f4be09816d405cc15a16d7d6

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/388314/

URLhaus

https://urlhaus.abuse.ch/url/2629425/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-05-11 04:40:02 UTC

url : hxxp://23.94.206.76/240/vbc.exe