MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 624144b2f3c5ac061a7ba15175e01fdbd9c2d3038b56e5c73b9ec4b5a480e47e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 624144b2f3c5ac061a7ba15175e01fdbd9c2d3038b56e5c73b9ec4b5a480e47e
SHA3-384 hash: ee7aa5f9b970baeabe294f2c3aa6cd56368c04becfd318fd033f88213aef4caf7af16f49b48f4e2d44d18919b9cece5f
SHA1 hash: f7fb3eef5599ff26da544b8ea2b7dc3503b3238c
MD5 hash: 92c690854d94126889ad09b5d948af3b
humanhash: floor-saturn-don-jig
File name:SKMBT Ref MT103 27042021.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:131'072 bytes
First seen:2021-04-28 08:12:28 UTC
Last seen:2021-04-28 14:47:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6aa5b81436a45ca75593788a1c1a8a0f (1 x GuLoader)
ssdeep 1536:yRs8rcQd7eOJ+LyTybGBlxJWliqigWo8FzMptzQElqqfAR/m:c0QZeOJ+ElgD8FzMLzQcqqfAR/m
Threatray 2'529 similar samples on MalwareBazaar
TLSH 9AD3A6663254AC3BC95545F8EB240DAC7B70EB3D3A1A848381F2D5073F65B86F3296E1
Reporter Anonymous
Tags:GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKMBT Ref MT103 27042021.exe
Verdict:
No threats detected
Analysis date:
2021-04-28 08:07:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/23188d06-bfd6-4b65-89e7-0ed38e896c43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/144881/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99ce034f-620f-4cd7-910a-791bfde57a99
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/700266
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 399058 Sample: SKMBT Ref MT103 27042021.exe Startdate: 28/04/2021 Architecture: WINDOWS Score: 100 29 www.3monthrule.com 2->29 31 3monthrule.com 2->31 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Potential malicious icon found 2->43 45 Found malware configuration 2->45 47 9 other signatures 2->47 11 SKMBT Ref MT103 27042021.exe 2->11         started        signatures3 process4 signatures5 57 Tries to detect Any.run 11->57 59 Hides threads from debuggers 11->59 14 SKMBT Ref MT103 27042021.exe 6 11->14         started        process6 dnsIp7 35 onedrive.live.com 14->35 37 jgvhdw.by.files.1drv.com 14->37 39 by-files.fe.1drv.com 14->39 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Tries to detect Any.run 14->63 65 Maps a DLL or memory area into another process 14->65 67 3 other signatures 14->67 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 33 www.maternityclothez.com 18->33 49 System process connects to network (likely due to code injection or exploit) 18->49 22 chkdsk.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/624144b2f3c5ac061a7ba15175e01fdbd9c2d3038b56e5c73b9ec4b5a480e47e/
Verdict:
unknown
Similar samples:
148588102731dd9742cd698c882b48c4b49cbfdd868647a83a15a0cbb1f0c8ca
GuLoader
1de9da3a2c6effe9e9eae16a0d70fc19c633e479073f308a666665b0628e866b
GuLoader
250051d6d9bd369c1b513ab41b5f9da87b04166af831d170dcab225aa0d86913
GuLoader
4faf0330a092329562d8d79c71cb143e22af30b106a24d1ce37721f2af9d6598
GuLoader
5cc027a4132a6238c1c280b1000aef347ba72337e743b086a0bc69d7b5b76e3c
GuLoader
7b1f41c2637cb64002e085187d4c5fdecea9153e28207ebab8984473771919f9
GuLoader
99b13841abbf0c2bf736ab08e0e7f48cd28cab2e69eff60399de65e0eced2e68
GuLoader
a4d801e88635f298ec71796cafeaf6880547b35be5b8ee18aea59ed85e63ece6
GuLoader
d64217395d8a43cd86ae4f154bcfcb62755241a26e4bfbdd06f049fbbfa38fca
GuLoader
e88388bec3164944678627db062b753e76b6f7f710a9fabc43dfe69e7df2f366
GuLoader
+ 2'519 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210428-r269qde2ca/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
624144b2f3c5ac061a7ba15175e01fdbd9c2d3038b56e5c73b9ec4b5a480e47e
MD5 hash:
92c690854d94126889ad09b5d948af3b
SHA1 hash:
f7fb3eef5599ff26da544b8ea2b7dc3503b3238c
Link:
https://www.unpac.me/results/d32bd288-5b5d-48a9-a25d-9f4f9b669693/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/624144b2f3c5ac061a7ba15175e01fdbd9c2d3038b56e5c73b9ec4b5a480e47e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144881/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-28 09:02:04 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0002.014] Communication Micro-objective::Read Header::HTTP Communication
1) [C0019] Data Micro-objective::Check String