MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5736beeb3bcccf928f1520272f417f37c19758762b14819485c8a1bf6220b817. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5736beeb3bcccf928f1520272f417f37c19758762b14819485c8a1bf6220b817
SHA3-384 hash: bb84847b11fab6bd1e42d4cd3b575ecee761aa3edac40d8fa4b63e343c34fd9f001bd0cbec25292077326e01b93c6ae4
SHA1 hash: cd9e6dd5e7c55e9bebf9f184c6826f7548185006
MD5 hash: 0d7c11c2202fff468c4e9f8ed29b682d
humanhash: north-robin-gee-sad
File name:SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021
Download: download sample
Signature GuLoader
Create hunting rule
File size:549'606 bytes
First seen:2022-10-10 12:08:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ea4df5d94204fc550be1874e1b77ea7 (241 x GuLoader, 29 x RemcosRAT, 17 x VIPKeylogger)
ssdeep 6144:5B+pgUzkmJo/iXl2PfBanor7zs1fP/mz2Po9Row9AckGsePWy:5gLaiXBn87QRmio9CweGsdy
Threatray 4'788 similar samples on MalwareBazaar
TLSH T19EC4B39A923B5FD6C09123FF284034C89173DFB970AAD5E7DA8C3B3EE0B0AD15524599
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c85838f0e8f8cc6c (3 x GuLoader)
Reporter SecuriteInfoCom
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318378/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42225/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63440b621ddf36bcc3f43b39/reports/ea235813-6e5e-4e38-9da4-7acdd94bbb86/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1507d022-f33d-4577-9909-bfaf1e82e444
Result
Threat name:
GuLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086844
Signature
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Mass process execution to delay analysis
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected GuLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 719401 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 10/10/2022 Architecture: WINDOWS Score: 100 43 api.ip.sb 2->43 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected GuLoader 2->51 53 Yara detected RedLine Stealer 2->53 55 4 other signatures 2->55 8 SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe 4 44 2->8         started        signatures3 process4 file5 37 C:\Users\user\...\System.Web.HttpUtility.dll, PE32+ 8->37 dropped 39 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\...\System.dll, PE32 8->41 dropped 61 Writes to foreign memory regions 8->61 63 Mass process execution to delay analysis 8->63 65 Tries to detect Any.run 8->65 12 CasPol.exe 8->12         started        16 powershell.exe 8->16         started        18 powershell.exe 8->18         started        20 72 other processes 8->20 signatures6 process7 dnsIp8 45 23.146.242.135, 12896, 49842, 49845 VDI-NETWORKUS Reserved 12->45 47 178.32.51.31, 49841, 80 OVHFR France 12->47 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->67 69 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->69 71 Tries to harvest and steal browser information (history, passwords, etc) 12->71 73 2 other signatures 12->73 22 conhost.exe 12->22         started        24 conhost.exe 16->24         started        27 conhost.exe 18->27         started        29 conhost.exe 20->29         started        31 conhost.exe 20->31         started        33 conhost.exe 20->33         started        35 69 other processes 20->35 signatures9 process10 signatures11 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->57 59 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 24->59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5736beeb3bcccf928f1520272f417f37c19758762b14819485c8a1bf6220b817/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 12:09:11 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
17 of 40 (42.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k43l52z3zthzfdyveats6ql7g7azowdwfmkidfefzcq36yraxalq._file
Verdict:
malicious
Similar samples:
595f2ae803f01eba157b6deff4687380346e15609e43cc05b541b527bb7292eb
GuLoader
67012c9555804fbfe82f17ee6d7d09196ed356053e2e778f49a998a4b718d6a6
GuLoader
691b3c73fa3301b9c36de80df0e7aa9d551a87ccc77a04b93786d6f1f5a41969
GuLoader
6e8977c63ed912222192ae6dd049abfa6b3633b1319627e932841d350dfeb1aa
GuLoader
ab2036dc90a503a003ed28e17ed2cf24001848be05580b6246656f88abe01c86
GuLoader
aba19cc38e4985676b27e5a87d4e11c8bdbb8ee25f27b0482512153bb8483f0c
GuLoader
be9fb9f5c528b848b05752124232ff1525b502f082b0b821a562c948a38aed72
GuLoader
d8dd31c9892f465f4638fed1a91de225b04c3fb695dcb2fc0c93111cce584f7a
GuLoader
e99458ebd23933338555907993fb3cbce8dc5a36fb57fd69e43703bdbc0fa340
GuLoader
+ 4'778 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/221010-pbfwsabga2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f3c78fd1-6e51-4e5e-84f2-2b41e5f18497
Unpacked files
SH256 hash:
9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed
MD5 hash:
fc3772787eb239ef4d0399680dcc4343
SHA1 hash:
db2fa99ec967178cd8057a14a428a8439a961a73
Link:
https://www.unpac.me/results/b524408e-6ede-4a86-9f58-3890ba2954de/
SH256 hash:
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3
MD5 hash:
1b76bca7bef0f515d39f31e3c084f31d
SHA1 hash:
92705562f13db5967e66624286f8291477b7b217
Link:
https://www.unpac.me/results/b524408e-6ede-4a86-9f58-3890ba2954de/
SH256 hash:
9d1849425597da7e314adb3d6300f6a6cf70aecebdd36276120a4f399a0ca14c
MD5 hash:
e89c979ddf75a064ea3cd8d5cca760f7
SHA1 hash:
a6774daf7206644c96411186b09639e5426f0513
Link:
https://www.unpac.me/results/b524408e-6ede-4a86-9f58-3890ba2954de/
SH256 hash:
5736beeb3bcccf928f1520272f417f37c19758762b14819485c8a1bf6220b817
MD5 hash:
0d7c11c2202fff468c4e9f8ed29b682d
SHA1 hash:
cd9e6dd5e7c55e9bebf9f184c6826f7548185006
Link:
https://www.unpac.me/results/b524408e-6ede-4a86-9f58-3890ba2954de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5736beeb3bcccf928f1520272f417f37c19758762b14819485c8a1bf6220b817

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318378/

Comments