MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
SHA3-384 hash: 9a91c744b998a83b7604efbdee6c5f77d1ef06bdb9d413e36974956716860ebb981404c2c9a1a80acaf181bb4d4e8ca3
SHA1 hash: 08eeed11867aa351be0d6c48da283721ee6c0769
MD5 hash: 27bf14807bc9d5cd2d823293f43c3a3a
humanhash: minnesota-nine-bluebird-nitrogen
File name:27bf14807bc9d5cd2d823293f43c3a3a.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:114'688 bytes
First seen:2021-08-02 13:01:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5565993a5a9f2bfb76f28ab304be6bc1 (7 x GuLoader)
ssdeep 1536:EAPGkc1ug6GUMu+Yg2WGI5XZ4QmiPYefCGk4H:X2bUMEWfXZiea
Threatray 5'308 similar samples on MalwareBazaar
TLSH T10DB36B996B10953FC1B76633DB62DE64CAD50EB8CE44B1298F0CCBFF5847252580A93E
dhash icon 92bcece0e3c4e3f2 (1 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Exhibitions Order Detailed list.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-02 12:49:48 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/83c85b07-66f1-4df5-8792-dfc787bbd5ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175809/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c2448934-b404-4b6a-ab83-031b4977a936
Result
Threat name:
GuLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825519
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 12:05:18 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3
GuLoader
5e3c17b9a8fb04fc0de847833073fba6b1f5b4c302c003cfb888f93e4bd54adf
GuLoader
60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5
GuLoader
73b83d70f24909aea7920a86029b43198979d7e31ab768619371e12fc7399f93
GuLoader
8179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17
GuLoader
96beaff70c51e04f38db0943eddd24ecc142ef2815d536b82655e25fbf5a54db
GuLoader
d4dadc7dc5e003905cdd8f287bec1c4d751d8d9913689cb0894feb999917d791
GuLoader
e6cd47abf6c7c73449bd05329a0e30a48012c947d8762dd2429333af8d7bc198
GuLoader
f06e4c96e86c0f36c82d38de0627c0b81995656c4dcbc136c0fedda868ed8ea0
GuLoader
faf4898dc104ee27f1d2adafa647094f57d9b282d6b3e7654c78e3d55eada723
GuLoader
+ 5'298 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210802-13jtgeh7vx/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
MD5 hash:
27bf14807bc9d5cd2d823293f43c3a3a
SHA1 hash:
08eeed11867aa351be0d6c48da283721ee6c0769
Link:
https://www.unpac.me/results/01288902-0878-432d-9915-cd83d31eaf6b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1489223/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1489224/
Cape
Cape
https://www.capesandbox.com/analysis/175809/

Comments