MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6785bb7e30144c967cf7c9c905f2bbae99951ac320d5d30d63e11a30242d3547. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	6785bb7e30144c967cf7c9c905f2bbae99951ac320d5d30d63e11a30242d3547
SHA3-384 hash:	421ea1eb3715d2ec8fd02079b40444d2a4eacd7f2d931b602419cbe0f2b22d00ae1bd12cd0b4e7dcdb26c1b0934c2afa
SHA1 hash:	92c387f6effbe2df74b601b98f57cad2a6a51efd
MD5 hash:	e7ba8da6f0c9e95ca83b0529b62dae75
humanhash:	tango-jersey-zebra-stairway
File name:	COPY-BLAZON.jpg.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	193'648 bytes
First seen:	2021-06-21 12:29:09 UTC
Last seen:	2021-06-21 14:00:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	269fbb82c8f402e670c866cdbdfbba84 (4 x GuLoader, 2 x Loki, 1 x BitRAT)
ssdeep	3072:x2cPWryIMoLVaqAd581PdodzGieLklBUTi4i22R:IUSRaqOigdzGi1lBUMR
Threatray	1'988 similar samples on MalwareBazaar
TLSH	2B147CB0B781FD72D76A857563914BBA1E886C304958C9C3E2C1331FEBB66D2C731626
Reporter	James_inthe_box
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	typhose
Issuer:	typhose
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-06-21T02:21:29Z
Valid to:	2022-06-21T02:21:29Z
Serial number:	00
Intelligence:	325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	c37418487d3f53ac36dde500c947930806f46adcc32a5d6669add5b3477f63f0
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

212

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

COPY-BLAZON.jpg.exe

Verdict:

No threats detected

Analysis date:

2021-06-21 12:35:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/75118dca-3d8e-4a81-962d-1e9520102299

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BitRAT

Link:

https://www.capesandbox.com/analysis/167274/

Detection(s):

SecuriteInfo.com.Variant.Razy.880943.27842.25890.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0e222e93-e7dd-461c-99ff-d7ff872ea258

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/805292

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

guloader

Link:

https://mwdb.cert.pl/sample/6785bb7e30144c967cf7c9c905f2bbae99951ac320d5d30d63e11a30242d3547/

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2021-06-21 04:59:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

9 of 46 (19.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m6c3w7rqcrgjm7hxzheql4v3v2mzkgwdedk5gdld4endajbngvdq._file

Verdict:

unknown

GuLoader

1bceb4e84115eabb8bf3df704b5cc014834ca08b126451ae95d60a968e66d666

GuLoader

2bf17b827e1be1f3a8b305a4e215347d08d32ccac5eb4028d49391b30c6ac4a7

GuLoader

2fbf6c5454bb88073ecbc13b293375ec58a9f8636c188881ffd7a3573f3c1cac

GuLoader

414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65

GuLoader

815b5f62adb35607df07859bfd1b75763bf525643e7f21d5a0f8803dd0e86be4

GuLoader

8653a11ee811265418a3b6f12945c585b77aea72f02b2d80f481c1100d895299

GuLoader

8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047

GuLoader

a76f692240be874358bd241860d2f492eca687f44e0bffade3b631ccf142117d

GuLoader

f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b

GuLoader

+ 1'978 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/210621-k4jtqwnp9s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Guloader,Cloudeye

Malware Config

C2 Extraction:

https://onedrive.live.com/download?cid=1130B101447311D6&resid=1130B101447311D6%21108&authkey=AORNBanyMg-WeJA

Unpacked files

SH256 hash:

6785bb7e30144c967cf7c9c905f2bbae99951ac320d5d30d63e11a30242d3547

MD5 hash:

e7ba8da6f0c9e95ca83b0529b62dae75

SHA1 hash:

92c387f6effbe2df74b601b98f57cad2a6a51efd

Link:

https://www.unpac.me/results/fe26ec89-c3fc-4b8a-8932-3b4cb070ecf5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

GuLoader

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6785bb7e30144c967cf7c9c905f2bbae99951ac320d5d30d63e11a30242d3547

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/167274/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample