MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67732ae3efbde55f0ea32af1488f1a430943f4402b1f2ce163058f5ec76146de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67732ae3efbde55f0ea32af1488f1a430943f4402b1f2ce163058f5ec76146de
SHA3-384 hash: 1e26b4e3beb143168d49a021db844fd979c20a01535229e2e9f770c8b46dd4d998210c071f1e801bbd9db6927d93eeca
SHA1 hash: 0d89ee2e0dc7018a1a23615f28f05dbc7d6fafc9
MD5 hash: fde4bf90f77974bf60e524c70f2cc3d6
humanhash: double-uranus-april-michigan
File name:fde4bf90f77974bf60e524c70f2cc3d6.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:95'328 bytes
First seen:2021-12-20 09:52:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 452 x Formbook, 295 x Loki)
ssdeep 1536:D/T2X/jN2vxZz0DTHUpouMJbAxE+1fS6ZJH3rkc+HSv7XqYugW2acBmCI0k:DbG7N2kDTHUpouMJbAPfSWJH3gyzfvnO
Threatray 8'318 similar samples on MalwareBazaar
TLSH T10493E100F6B0D837E9620A302C79637B9FBBE52556B15E4313102E6A7DB37C2AA1E751
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:sledgehammered
Issuer:sledgehammered
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-16T20:55:31Z
Valid to:2022-12-16T20:55:31Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 7c39aa0b4b002f6a4c3decffeec0e86b7a7fa350f431b4f163b0cbce4ea16051
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
GuLoader payload URL:
http://185.112.83.8/DriverUpdaterForSvhost.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
391
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215437/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.15588.15448.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
DNS request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2736/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61c052828991ba72b38e4ade/reports/ff021bf6-db11-467b-be35-d54a50c85d59/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e655c791-a4da-411b-ad40-20806d456015
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/910164
Signature
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67732ae3efbde55f0ea32af1488f1a430943f4402b1f2ce163058f5ec76146de/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2021-12-19 21:53:19 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
14 of 27 (51.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5zsvy7pxxsv6dvdflyurdy2imeuh5cafmpszyldawhv5r3bi3pa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
7afa7c7724abb034d3155e1e1fc1fd3f9961e56fd6119428d975d8aaee3070f9
GuLoader
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
GuLoader
ab2261ddf24d2524a3ffe99044fac988f6178be9bc78d28cd5db289c414c3a4f
GuLoader
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
GuLoader
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
GuLoader
de2346e7683a4ed34d62a2954a38949335e6c1b27085a1cc82c08b0c6aec514e
GuLoader
+ 8'308 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:redline botnet:private_5 discovery downloader infostealer spyware stealer
Link:
https://tria.ge/reports/211220-lwmnaaabe7/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Guloader,Cloudeye
RedLine
RedLine Payload
Malware Config
C2 Extraction:
194.26.229.202:18758
Unpacked files
SH256 hash:
67732ae3efbde55f0ea32af1488f1a430943f4402b1f2ce163058f5ec76146de
MD5 hash:
fde4bf90f77974bf60e524c70f2cc3d6
SHA1 hash:
0d89ee2e0dc7018a1a23615f28f05dbc7d6fafc9
Link:
https://www.unpac.me/results/548230c3-3bd8-42ce-a01e-3386f2349f95/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/67732ae3efbde55f0ea32af1488f1a430943f4402b1f2ce163058f5ec76146de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 67732ae3efbde55f0ea32af1488f1a430943f4402b1f2ce163058f5ec76146de

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1899997/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/215437/

Comments