MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60ccdec92b23413b1b5391cb9923931e5b151f0f5877f1f90d730f0fede5f365. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60ccdec92b23413b1b5391cb9923931e5b151f0f5877f1f90d730f0fede5f365
SHA3-384 hash: b1a5b49d80a5a805b063109a6564cd6e6b55cd97cce22a1c58fc6bba15a5ec3c8f21f833020c043c8f2b75ef12866acf
SHA1 hash: 8151ae0df266977ae735def0b382c1315ce88666
MD5 hash: 200145e8e34bfa4d77bb6c7469efb39c
humanhash: sixteen-charlie-lima-timing
File name:SecuriteInfo.com.Gen.Variant.Ursu.860578.21308.11292
Download: download sample
Signature GuLoader
Create hunting rule
File size:173'056 bytes
First seen:2020-05-06 22:39:32 UTC
Last seen:2020-05-07 04:31:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 3072:nOhX097+C1z5GWp1icKAArDZz4N9GhbkrNEkYYBuE2N6VCOk+Z:OhE97+wp0yN90QE8v2N6YkZ
Threatray 463 similar samples on MalwareBazaar
TLSH D704B003ABE88077D9F51BB058F603D30B36BCA18D78836B2785695E0DB3694A57173B
Reporter SecuriteInfoCom
Tags:GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Ursu.860578.29996.8063.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 23:47:00 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
20 of 31 (64.52%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
guloader
Create hunting rule
Similar samples:
1d7f1bd2e98ab61ef9f350289c83791d4da1463576ea3591b8cf3b9228f506ab
GuLoader
4a3e5ec3cb8e7de4807f8ab6684291a02eea7a64c76f0e32df1b0a0bb17c047c
GuLoader
5540d3256d4e24a41945ff8d40078deb2d5531242639d718b122f3044d52420d
GuLoader
60c2a6a0bc12f4b6fd4ecb473d5de3d9de561ee3125055dbbf2d8ff12bb83f60
GuLoader
68f66dd88b1a69a8ff2e63cca5e4554e1b147ccd2474d356b60a749c21412fd4
GuLoader
7d53275640b52b08bb54259f6bc85edad2dfe30b6b5f9cea9ddc8d7469d97cd8
GuLoader
884209a719966f7d043193d01453eb707f176dab896173c493097f09940ded43
GuLoader
98af60250a9e0cedaa66f04fe39c412bd0007855255547df68f5da46686c9ced
GuLoader
9e6cf2b57d1e96bced0f7742e883a8fdf94847fcf3344ae55f05324b59fde328
GuLoader
baac016255a128a1209211bba2a47979f3392f12c41d5805469f899eba6de47b
GuLoader
+ 453 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
persistence family:netwire botnet rat stealer
Link:
https://tria.ge/reports/201109-q2c17dxd9e/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Checks QEMU agent state file
Executes dropped EXE
Modifies Installed Components in the registry
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 60ccdec92b23413b1b5391cb9923931e5b151f0f5877f1f90d730f0fede5f365

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/359045/
  
Delivery method
Distributed via web download

Comments