MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e74833e8f9a6e8a92cca35de25fb0d6b68c84d0bc22b9c939b51737acb83494. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e74833e8f9a6e8a92cca35de25fb0d6b68c84d0bc22b9c939b51737acb83494
SHA3-384 hash: a8e062e920a815e1d362b5343442c370a4f6338efeb473706a85f35619950368f1a320dc987beb0fdd7186cd6b8c0d05
SHA1 hash: c7a383acd0fea19b35ce5e1ef784468ab0527e74
MD5 hash: 331795ffdb6c9f6940d86d4a59c6180e
humanhash: iowa-lithium-magnesium-blue
File name:331795ff_by_Libranalysis
Download: download sample
Signature GuLoader
Create hunting rule
File size:112'368 bytes
First seen:2021-05-19 19:01:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ad518cf51907bc8ca22f7a1354a4250 (11 x GuLoader, 2 x RemcosRAT)
ssdeep 1536:wLqAFgxItUWdbe489wm1ucOJZq2HDjmwaHKLzaOcMBnLn:wLqlxCUWdq9KFJ42HPjnLeOcMBnLn
Threatray 1'413 similar samples on MalwareBazaar
TLSH 93B3D47ABAFBE574FE1884F0274C47E881972E78C554894BDDC21418A7F1636A6203FB
Reporter Libranalysis
Tags:GuLoader


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
331795ff_by_Libranalysis
Verdict:
Malicious activity
Analysis date:
2021-05-19 19:40:24 UTC
Tags:
trojan rat nanocore
Link:
https://app.any.run/tasks/90b1ed29-2d2a-48aa-9366-bcd3253b61ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/158756/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.21653.1713.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/785298
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Potential malicious icon found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e74833e8f9a6e8a92cca35de25fb0d6b68c84d0bc22b9c939b51737acb83494/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 13:50:38 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lz2igpuptjxivewmuno6ex5q223izbgqxqrltsjzwultplfygska._file
Verdict:
unknown
Similar samples:
12e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
GuLoader
184676b18d687073308c791c9145f0b0c8bc6a75fd4ed7aff7803381701c06f0
GuLoader
22b13820a6139c7682d5e1108aefde2200dc593e14fe7fca28eb27d5e616bef7
GuLoader
34a666042ff3ad45f4e1e37776cc55d4f4fdd1bcd8233852839d55fc076410d1
GuLoader
39874f3eb3d660ef8af1c02af08ddfa4d3dc14aedf2c216e3e1f8639813bf2e1
GuLoader
414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65
GuLoader
6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092
GuLoader
c3ca97abe1f0584928691bf13d02b25a4e20288a2477e466d67000c0bbe04df3
GuLoader
c943a100bc29344a690516900fd3fc830c0af1646499ade9e082e76cdf45901f
GuLoader
f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b
GuLoader
+ 1'403 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:nanocore downloader evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210519-mw5k3ghlnx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks QEMU agent file
Guloader,Cloudeye
NanoCore
Malware Config
C2 Extraction:
http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/MEKI%20NEW_rGDXhItdtA168.bin
:2486
wywtrwbnmhtytrebsgwtfcvzcxgjhyegvbcnmgte.ydns.eu:2486
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e74833e8f9a6e8a92cca35de25fb0d6b68c84d0bc22b9c939b51737acb83494

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 5e74833e8f9a6e8a92cca35de25fb0d6b68c84d0bc22b9c939b51737acb83494

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/158756/
  
URLhaus
https://urlhaus.abuse.ch/url/1255991/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-19 20:07:33 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing