MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 666f6668173354a8778b1d470f245c39116b67ad41e15d16b99d9ef69d794185. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	666f6668173354a8778b1d470f245c39116b67ad41e15d16b99d9ef69d794185
SHA3-384 hash:	099e57608bf37f16c12c7cb158c87e12bf2f0107a2ce71fa9b09fdd269c295d2800c7d4533642891ca7f376a3c3edc4f
SHA1 hash:	ea8312476160dcff3efc30e1dd19fa3b47ad318e
MD5 hash:	dd0dc89aaf975e6edd7599cf3db31449
humanhash:	three-uranus-hawaii-juliet
File name:	Payment error.exe
Download:	download sample
Signature	GuLoader Alert Create hunting rule
File size:	341'502 bytes
First seen:	2023-05-03 10:56:36 UTC
Last seen:	2023-05-13 22:54:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7eae418c7423834ffc3d79b4300bd6fb (51 x GuLoader, 16 x RemcosRAT, 15 x AgentTesla)
ssdeep	6144:MicFyjr5llfJ0wuk16KnawQQBGlbvs9/vIbD40FcYjaBOy/iL:PD5fJB3paX+9H8vFcC+/w
Threatray	587 similar samples on MalwareBazaar
TLSH	T1507412827560C57EE6B239B15C3A9F32C9B6CC2C145E621B2380BD6B7572722D62F343
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	dc9c98d991285458 (17 x GuLoader, 6 x Formbook, 6 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe GuLoader

Intelligence

---

File Origin

# of uploads :

3

# of downloads :

266

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

Payment error.exe

Verdict:

Malicious activity

Analysis date:

2023-05-03 10:57:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/706d4cfa-5f07-444e-8425-a6d43f03c2ed

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/386252/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.66154962.29897.18825.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Delayed reading of the file

Creating a file in the %temp% subdirectories

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/82311/overview

Behaviour

MalwareBazaar

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

comodo guloader overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/64523e081facab193c67350a/reports/7d22124c-a04f-46d1-90a6-29554ce44a8a/overview

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/666f6668173354a8778b1d470f245c39116b67ad41e15d16b99d9ef69d794185

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b93cc89e-b96b-48d3-a074-6d8c0547be9d

Joe Sandbox GuLoader

Result

Threat name:

GuLoader

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1225386

Signature

Antivirus detection for URL or domain

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sample has a suspicious name (potential lure to open the executable)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/666f6668173354a8778b1d470f245c39116b67ad41e15d16b99d9ef69d794185/

ReversingLabs TitaniumCloud Win32.Trojan.Guloader

Threat name:

Win32.Trojan.Guloader

Alert

Create hunting rule

Status:

Suspicious

First seen:

2023-03-29 09:12:53 UTC

File Type:

PE (Exe)

Extracted files:

11

AV detection:

17 of 24 (70.83%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mzxwm2axgnkkq54ldvdq6jc4heiwwz5nihqv2fvztwppnhlzigcq._file

Threatray cloudeye

Verdict:

malicious

Label(s):

cloudeye

Alert

Create hunting rule

Similar samples:

2ce8762499528e352fb5d3570a748aa408f72131430ac459affbcd4b40b2e99c

GuLoader

472e9dd9be99ecc9a99dbed1014492ba726a6038a1e1b76621026d9b3b27fe89

GuLoader

b9772355669f37cc643520569eb699b6bd00e96999495404977d082b0ef4fbaf

GuLoader

bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350

GuLoader

bf3b3dbdeec58b9b018269cb0881f25708c1b0f0db5ed19228645e7e9ef00563

GuLoader

d8b0bc17d73b611e2ae4ac8addf6a90745af6107cfadffc7cc497a2db38afc87

GuLoader

e9e52f7f7442fd3bf5330794843a393c1b2e4e0fd462a153daaf89e4d1109d27

GuLoader

fe4020d80a71155f6d6f490b3ff6d5699cf839c815da0e077b476ab0ba6b375b

GuLoader

+ 577 additional samples on MalwareBazaar

Hatching Triage guloader

Result

Malware family:

guloader

Alert

Create hunting rule

Score:

  10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/230503-m19t2sed73/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Loads dropped DLL

Guloader,Cloudeye

UnpacMe 2

Unpacked files

SH256 hash:

6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

MD5 hash:

8cf2ac271d7679b1d68eefc1ae0c5618

SHA1 hash:

7cc1caaa747ee16dc894a600a4256f64fa65a9b8

Link:

https://www.unpac.me/results/c40fb694-3321-43b7-b224-57c23b4444ba/

SH256 hash:

666f6668173354a8778b1d470f245c39116b67ad41e15d16b99d9ef69d794185

MD5 hash:

dd0dc89aaf975e6edd7599cf3db31449

SHA1 hash:

ea8312476160dcff3efc30e1dd19fa3b47ad318e

Link:

https://www.unpac.me/results/c40fb694-3321-43b7-b224-57c23b4444ba/

VMRay GuLoader

Malware family:

GuLoader

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/666f66681733/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI GuLoader

Threat name:

GuLoader

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/666f6668173354a8778b1d470f245c39116b67ad41e15d16b99d9ef69d794185

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

exe 666f6668173354a8778b1d470f245c39116b67ad41e15d16b99d9ef69d794185

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/386252/