MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 569aa6697083993d9c387426b827414a7ed225a3dd2e1e3eba1b49667573fdcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 569aa6697083993d9c387426b827414a7ed225a3dd2e1e3eba1b49667573fdcb
SHA3-384 hash: 34da8b32e1fcf868c002eb74e66fb16a553b45e7d82c8a52bdbc861004c8f63404d03c6597fdd8b1e397ec612e3dc424
SHA1 hash: bce0830c3c09d664bca5e34b63ee902455a95737
MD5 hash: 684967c8f09c920991d6acf797cd660f
humanhash: glucose-illinois-wolfram-sad
File name:Musculophrenic.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:272'584 bytes
First seen:2023-04-19 11:44:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ed0d71376e55d58ab36dc7d3ffda898 (133 x GuLoader, 28 x RemcosRAT, 23 x AgentTesla)
ssdeep 6144:KkyacCTf7IdS5/UyV318F2LNk01AaE0USe8AWK:KkNTTIolZV318F8y0/eSe8An
Threatray 785 similar samples on MalwareBazaar
TLSH T1D8440202A2F5C163E4D756748E23CBBE8A75AF540604034B7B61BFAF19305BADA0F395
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e8d4d8cce8686869 (5 x GuLoader, 1 x AgentTesla, 1 x Formbook)
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-18T06:54:26Z
Valid to:2026-03-17T06:54:26Z
Serial number: 1076e70dc72dd0943220ef2249f5eba897ddb5a1
Thumbprint Algorithm:SHA256
Thumbprint: f14da6dbc053fb32258eb15af4f04bb01514aba2598d3c52e7cdd94fb4e8e1aa
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Musculophrenic.exe
Verdict:
Malicious activity
Analysis date:
2023-04-19 11:45:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/36f7287b-8d8e-4345-843b-35e2e2598b37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383282/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/643fd440000396b4e9997562/reports/d2eb3cbc-9dbc-4eb5-bf9e-6634f0d0a758/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/569aa6697083993d9c387426b827414a7ed225a3dd2e1e3eba1b49667573fdcb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1fa3494e-8539-42bb-b65f-1017fb380986
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1216803
Signature
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/569aa6697083993d9c387426b827414a7ed225a3dd2e1e3eba1b49667573fdcb/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2nkm2lqqomt3hbyoqtlqj2bjj7nejnd3uxb4pv2dnewm5lt7xfq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
GuLoader
4669b95ca73b3835e391016b48633970c1d25f4394bf4046b7eabaab725ad0d9
GuLoader
7a91a1cbaa20e78c0e6814b51ed7d239074c95dd348159817e16606a6a04f344
GuLoader
82bb5ca075a83da9c44b1a9214aa7590bf992d8206038b4f3edd6bd8230f966d
GuLoader
83755ee70bf18413768f54bcc785aee64f8d6c3e4be77df8b1996d9e2247cf26
GuLoader
9ac3510864002a124f1c7b61f64da4e87c5b944b21afb4677faa639b61a11929
GuLoader
a97aa6604d2ad5146a8ef252e571d4b0c1e2ee8566964be8086532ef049b10d4
GuLoader
afde76fdce32d093155f03eb1143e15f1114007b21fe72a65bf5b7b6c4c459a8
GuLoader
b394bd2bf5686012f76693ff9daddc941662d0c564e4ac4a530ea34b4b0d8cc6
GuLoader
+ 775 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader spyware stealer
Link:
https://tria.ge/reports/230419-nwq2taca8w/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Guloader,Cloudeye
Unpacked files
SH256 hash:
1188fbf20b7df9e51ec6cba5f1dbff81955a5d0c0b669d9435121c65114e5e01
MD5 hash:
c78acbfe4dfb94888d5620c507a283f6
SHA1 hash:
118e6a02ba6d3670e51d5f9982c159bb6504cd43
Link:
https://www.unpac.me/results/3a6ad6e6-69df-480c-97e2-6f4268060354/
SH256 hash:
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
MD5 hash:
fc90dfb694d0e17b013d6f818bce41b0
SHA1 hash:
3243969886d640af3bfa442728b9f0dff9d5f5b0
Link:
https://www.unpac.me/results/3a6ad6e6-69df-480c-97e2-6f4268060354/
SH256 hash:
569aa6697083993d9c387426b827414a7ed225a3dd2e1e3eba1b49667573fdcb
MD5 hash:
684967c8f09c920991d6acf797cd660f
SHA1 hash:
bce0830c3c09d664bca5e34b63ee902455a95737
Link:
https://www.unpac.me/results/3a6ad6e6-69df-480c-97e2-6f4268060354/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/569aa6697083/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/569aa6697083993d9c387426b827414a7ed225a3dd2e1e3eba1b49667573fdcb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 569aa6697083993d9c387426b827414a7ed225a3dd2e1e3eba1b49667573fdcb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383282/

Comments