MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67e83af6282dac6c860ce6cba06461848fac1841bf7f05feeda727fe722029e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67e83af6282dac6c860ce6cba06461848fac1841bf7f05feeda727fe722029e9
SHA3-384 hash: 4dea8996657acf773bee7cd086274542de5f46611a3961fd37d02e164ca72f82b0a954c76b182524b83ec31bcd614e35
SHA1 hash: 0af7a34ab0312be1d95f47a24067a9461e9d3c1c
MD5 hash: 4a97041b159dda7634334d01619fac94
humanhash: massachusetts-massachusetts-failed-alabama
File name:4a97041b159dda7634334d01619fac94.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:131'072 bytes
First seen:2021-06-23 18:57:24 UTC
Last seen:2021-06-23 19:41:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7b83594c1a58925c328e887fceb49629 (1 x GuLoader)
ssdeep 1536:EwbIYEQ7ZbF7hL28c3s3bi9NrAuWhmkOeE7IbuTZ3r0lneQpuO:EwbhEQnh4Ei9NrAVhmMS93wx
Threatray 2 similar samples on MalwareBazaar
TLSH 9DD3712161E4B865E1CFD1B0214BCE8A186D7C37666EBD4337F86E64B5642873EF0227
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
http://farmersschool.ge/bin_wcIUJ127.bin
http://benvenuti.rs/wp-content/bin_wcIUJ127.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4a97041b159dda7634334d01619fac94.exe
Verdict:
No threats detected
Analysis date:
2021-06-23 19:07:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/376cb3f5-b129-4189-98fa-a771630fd66b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.26597.5399.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c372ada0-7041-48c8-8cf2-8c7fe893fbe2
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/806816
Signature
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/67e83af6282dac6c860ce6cba06461848fac1841bf7f05feeda727fe722029e9/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m7udv5rifwwgzbqm43f2azdbqsh2ygcbx57ql7xnu4t744rafhuq._file
Verdict:
suspicious
Similar samples:
66e4fb4c25d6f26bd7322782642f7b3ffd5747ca736e64868f8a3c76467bf8c0
GuLoader
7c72d2e12ed2db6353a373d16c07eaf27fbf110c75a2dc7535ec7d624cb42012
GuLoader
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210623-dfr5nn1h9x/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Malware Config
C2 Extraction:
http://farmersschool.ge/bin_wcIUJ127.bin
http://benvenuti.rs/wp-content/bin_wcIUJ127.bin
Unpacked files
SH256 hash:
67e83af6282dac6c860ce6cba06461848fac1841bf7f05feeda727fe722029e9
MD5 hash:
4a97041b159dda7634334d01619fac94
SHA1 hash:
0af7a34ab0312be1d95f47a24067a9461e9d3c1c
Link:
https://www.unpac.me/results/d99aa7b3-da58-45b3-981f-c364ffbbfd46/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/67e83af6282dac6c860ce6cba06461848fac1841bf7f05feeda727fe722029e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 67e83af6282dac6c860ce6cba06461848fac1841bf7f05feeda727fe722029e9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1391935/
  
URLhaus
https://urlhaus.abuse.ch/url/1390689/
  
Delivery method
Distributed via web download

Comments