MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cbf8204595beadf10b5c491d713b2664f55049b024dea55d85eaa2878fe8a38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cbf8204595beadf10b5c491d713b2664f55049b024dea55d85eaa2878fe8a38
SHA3-384 hash: bdc89b6371fad85d3dc62ff8fda86dc2546ad889bc812a29101754fa0991da822dfe1b41313375818b380959042198eb
SHA1 hash: 8e26d1d835dcfbb4ece20420e8c2141b7fe8bacf
MD5 hash: 7f2f6bd73175809a653ca47f063e78d9
humanhash: illinois-timing-lake-december
File name:TRANSFERENCIA Y ATESTACIÓN-pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:757'960 bytes
First seen:2023-09-13 12:46:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (277 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 12288:4gSHDKHA2giiwZlXvPnEDryH++rNqacbo15zxbQK8kt10JSyP:4g0KHpxp/XvPnwryHOaI29bH/t10J1
Threatray 994 similar samples on MalwareBazaar
TLSH T1B1F412117E84DC90DC0954342A2EDA96237BFF6ACA75690B78D97B9F08B317E0683347
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon bc7061616161b0b0 (1 x GuLoader)
Reporter malwarelabnet
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-05T08:39:10Z
Valid to:2025-10-04T08:39:10Z
Serial number: 1c54792d33299cc59a90b3a07a191d9b614fd2b1
Thumbprint Algorithm:SHA256
Thumbprint: 36e1ac05946f31485ca33e0b12290c555dd4d57bc44a3eb794d60998501fbed3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TRANSFERENCIA Y ATESTACIÓN-pdf.exe
Verdict:
Suspicious activity
Analysis date:
2023-09-13 12:48:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/037070bd-54a5-4589-ae68-0bdc161486d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448388/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.652.3532.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control guloader lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6501af4625e2ece4df6c820e/reports/53fdf5f9-73c0-40bd-9a2e-b7438580d915/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/6cbf8204595beadf10b5c491d713b2664f55049b024dea55d85eaa2878fe8a38
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d97f8b78-9e7f-40fe-863a-7a13c80e3d88
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1308213
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cbf8204595beadf10b5c491d713b2664f55049b024dea55d85eaa2878fe8a38/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-13 08:39:16 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
17 of 35 (48.57%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ns7yebczlpvn6efvysi5oe5smzhvkbe3ajg6uvoyl2vcq6h6ri4a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ad287dbe151a940761d048d0a6214c15970455280ef7c98c240c223bf0a7a73
GuLoader
0cffea5daeb941cc6235f4de2fe2ba348ff08742d196ffc68bc8d7f1109596fd
GuLoader
19414e87fa7d0c6264b94810039b0465efd408d65efa70f62e9a8ec5ea8f222e
GuLoader
241c42aa6df24b11a6d52ef542e2f1c5eceba74438e26488b3e6d5b98e1ed8e4
GuLoader
681410b16401ea5300bb40bfbb69e2f01d14ab931f3f8597a2be00dcac74443b
GuLoader
88cad0969c1cd317bfe776bc60655fe0b9ad6ba40a80856188685512b31e68c0
GuLoader
937c5c7f89f4bc94355b490bc015a240badc8e8f5c291a2dafc5300aaad3892b
GuLoader
a65d60a0e83a78f2a7c81f0b867a727dccdaafc47485e7c5196563d9dcfe6328
GuLoader
b1ce73dac896a841321b1f502bcc32313de930cd0e5561874e51e80dc7cb06cc
GuLoader
fac68be8d34387e18062a7bc14ce9c070022c9cb3ff9ce8cc6cd58c18c00764d
GuLoader
+ 984 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/230913-pz7dmsed72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
MD5 hash:
b0c77267f13b2f87c084fd86ef51ccfc
SHA1 hash:
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
Link:
https://www.unpac.me/results/dd47b03c-4b81-4dc4-9e5b-a33dde256517/
SH256 hash:
6cbf8204595beadf10b5c491d713b2664f55049b024dea55d85eaa2878fe8a38
MD5 hash:
7f2f6bd73175809a653ca47f063e78d9
SHA1 hash:
8e26d1d835dcfbb4ece20420e8c2141b7fe8bacf
Link:
https://www.unpac.me/results/dd47b03c-4b81-4dc4-9e5b-a33dde256517/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6cbf8204595b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/6cbf8204595beadf10b5c491d713b2664f55049b024dea55d85eaa2878fe8a38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/448388/

Comments