MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 619379c10c3c49152dae38504ebc779e3e6232e33ff7f8b9f23c2695a6d92fcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 619379c10c3c49152dae38504ebc779e3e6232e33ff7f8b9f23c2695a6d92fcb
SHA3-384 hash: 3058ff7795ee75725f204d31fe501b2c31a66f141f771a17b858e6695119f115655b749d748c494c1128594b9880f259
SHA1 hash: b180ba36534cd8aa57f3ca56f06a9c71b1013851
MD5 hash: fc7b2efdf463471ff70ff88f3244c9ad
humanhash: chicken-virginia-alpha-undress
File name:Scanned Proforma copy_pdf.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:61'440 bytes
First seen:2020-12-10 07:00:44 UTC
Last seen:2020-12-10 08:34:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0821586b2482e6b496b4783e86c20f40 (1 x GuLoader, 1 x AveMariaRAT)
ssdeep 768:3gw3tIgTht/Y+493YDMCWIpEv5PWcLQom8zsIsIrmYYxJ:N9DbQ+4hYDfW+E/A8z84m1
Threatray 4'588 similar samples on MalwareBazaar
TLSH 50532BA2557448B5EBB3097F18124D994443AC231A947FC736FC2DCE4A367D304A27BE
Reporter cocaman
Tags:GuLoader scr

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scanned Proforma copy_pdf.scr
Verdict:
No threats detected
Analysis date:
2020-12-10 07:01:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/41535be5-86b7-4bb2-b710-759f9ba6dc26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/107599/
Detection(s):
SecuriteInfo.com.Variant.Razy.802060.19008.18728.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Result
Gathering data
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/559823
Signature
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/619379c10c3c49152dae38504ebc779e3e6232e33ff7f8b9f23c2695a6d92fcb/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-12-10 02:53:04 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mgjxtqimhrerklnohbie5pdxty7gemxdh737ropshqtjljwzf7fq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0fcd1b468fe2159ca2ca63eaa81655f59ff8f63e3bbd6d7dd789807f7776e0bb
GuLoader
116078d29890c8b0d748b2f2709d2768f7ad9ac04688db1f44189f019f62050f
GuLoader
2b68ba16b8a44890c23fba68bccc1ef620ff3f12fd0d0fc2f7ffab92fcbde46e
GuLoader
37f99fd8cd0da50db89ff0b8fa05029e283aa5ac0cb8770dd17514dbf760f744
GuLoader
688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388
GuLoader
96806ca7e35fc1840e35d756d2242c494fa734a81d76ceb8586fd10ef6548f39
GuLoader
9c2e8914a4d3511eaa2f69e6ab33c9ff7d760d4ebfb761b38ed56eed8fe32ddb
GuLoader
b32598815ea88a25f6459ae8b5035d0ed9c787d8fee5f124a24543c0550d9070
GuLoader
b33804d1bcadb3c28baad638d82f7510ab66451a5a602978dfa8f629e6bdca05
GuLoader
bb5c8472255fad61a597de4e980e2c667c975bd34026c6ac87bbb905588999ea
GuLoader
+ 4'578 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer rat
Link:
https://tria.ge/reports/201210-nwxre8crhn/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
619379c10c3c49152dae38504ebc779e3e6232e33ff7f8b9f23c2695a6d92fcb
MD5 hash:
fc7b2efdf463471ff70ff88f3244c9ad
SHA1 hash:
b180ba36534cd8aa57f3ca56f06a9c71b1013851
Link:
https://www.unpac.me/results/20fe6dd5-3d44-4278-88e4-fe7ed3e5a974/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/619379c10c3c49152dae38504ebc779e3e6232e33ff7f8b9f23c2695a6d92fcb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AveMariaRAT

rar 3c6bc4dcd62f6647b85eadf13d0f581fae657cbc4c5053463666d9f5a5a7841e

GuLoader

Executable exe 619379c10c3c49152dae38504ebc779e3e6232e33ff7f8b9f23c2695a6d92fcb

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 3c6bc4dcd62f6647b85eadf13d0f581fae657cbc4c5053463666d9f5a5a7841e
Cape
Cape
https://www.capesandbox.com/analysis/107599/

Comments