MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d986cc1bd9fd02c980515b451b918a00568baea36b0ed00113c3e5f993d99d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d986cc1bd9fd02c980515b451b918a00568baea36b0ed00113c3e5f993d99d4
SHA3-384 hash: 75d67f5f86f889c89b4398f6b00d45a705324bb5ddec55aeb9766ec058c6dedb2910eb679d36a0fd613356257209039e
SHA1 hash: 8c97dc1f9dd9357c732e37acb4196b3c6afa3f7a
MD5 hash: 64dbafa2a5c3f70fc03dd500da94f1d9
humanhash: massachusetts-juliet-green-orange
File name:SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411
Download: download sample
Signature GuLoader
Create hunting rule
File size:322'059 bytes
First seen:2022-11-25 02:29:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f23f452093b5c1ff091a2f9fb4fa3e9 (276 x GuLoader, 37 x RemcosRAT, 23 x AgentTesla)
ssdeep 6144:8Iw37u+aDgMprtofl1lOUjMLYWdh760tH8QiMCXE:pnMwqlXO1L/dV6HbMkE
Threatray 162 similar samples on MalwareBazaar
TLSH T1C364BE1B711E509ED50B313267EDF09A2B597C8F1BA1E9064BA77CEF95F43200A0EB16
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e2f2f0f8e0c0f868 (4 x GuLoader)
Reporter SecuriteInfoCom
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
363
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411
Verdict:
Malicious activity
Analysis date:
2022-11-25 02:30:24 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/debcf66c-16d6-4d57-b838-31a7335760bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338248/
Detection(s):
SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Creating a file in the Windows directory
Sending a custom TCP request
Delayed reading of the file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/638028ac559d07a06f474ea8/reports/e003b3c5-06fe-4138-8aad-0170cf429d13/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/40aa681a-a62b-4fc3-a2f6-a659ab34fb09
Result
Threat name:
Azorult, GuLoader
Create hunting rule
Detection:
malicious
Classification:
evad.phis.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120819
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Azorult
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 753536 Sample: SecuriteInfo.com.NSIS.Injec... Startdate: 25/11/2022 Architecture: WINDOWS Score: 100 38 dbxo1.shop 2->38 40 aapancart.com 2->40 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 3 other signatures 2->52 9 SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411.exe 2 38 2->9         started        signatures3 process4 file5 24 C:\Users\user\Overfurnished\...\qipcap.dll, PE32 9->24 dropped 26 C:\Users\user\Overfurnished\...\WMIMethod.dll, PE32+ 9->26 dropped 28 C:\Users\user\AppData\Local\...\System.dll, PE32 9->28 dropped 54 Self deletion via cmd or bat file 9->54 56 Tries to detect Any.run 9->56 13 SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411.exe 63 9->13         started        signatures6 process7 dnsIp8 42 dbxo1.shop 104.21.44.194, 49871, 49876, 80 CLOUDFLARENETUS United States 13->42 44 aapancart.com 103.14.99.114, 443, 49870 TRUNKOZ-INTrunkozTechnologiesPvtLtdIN Singapore 13->44 30 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->30 dropped 32 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 13->32 dropped 34 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 13->34 dropped 36 45 other files (none is malicious) 13->36 dropped 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->58 60 Tries to steal Instant Messenger accounts or passwords 13->60 62 Tries to steal Mail credentials (via file / registry access) 13->62 64 6 other signatures 13->64 18 cmd.exe 1 13->18         started        file9 signatures10 process11 process12 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d986cc1bd9fd02c980515b451b918a00568baea36b0ed00113c3e5f993d99d4/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-25 01:19:35 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nwmgzqn5t7iczgafcw2fdoiyuacwroxkg2yo2aarhq7f7gj5thka._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
296d3276af7f064b6e29fd453f3273c4fbf7d47d5afa4a2ecb80b594467d85df
GuLoader
2f35e754d4ed60b61a7621e22710426b1d1ade21cd31cb4b2d71a88b2a53decc
GuLoader
9f47ed5d4825d6cf54c46856454b381f0a594dfdaa5027af5dc8379df03bcaa8
GuLoader
d3a66173013a037b63d6ab4eb79916bb7e32cea117a3a12ed823f1f41ee69ce2
GuLoader
d418b33e0f47d43fcc31e623c7c2b581aa9df51fb47a15414a8bb45b009f813b
GuLoader
e504cb27581e7e2bf9f32203245d8a2d00451808a66a641b8e090ebd93a5842d
GuLoader
ef98f88e2af062e52962b309ec92736c485ce509e6319271cdde46e030455b5b
GuLoader
f6a79144d1ff3fe08c93e756f50d43cba75721426448c17b702cdaa66e29ea7a
GuLoader
+ 152 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221125-cy6dqshg2y/
Behaviour
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cdac11aa-0b27-421a-a170-c7243c38c4ec
Unpacked files
SH256 hash:
c25ac29e08b4e2572a217650a171c6af09f351359e7e17f86a6ceea740e3e5fa
MD5 hash:
d49ad1349433b4bbeab6a1e865e5f0c7
SHA1 hash:
fec7b4cfa1c58b681cecb75e58db21512151c835
Link:
https://www.unpac.me/results/9bd89b6a-3aaf-4b05-94f1-935eabf380ea/
SH256 hash:
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
MD5 hash:
8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 hash:
223bef1f19e644a610a0877d01eadc9e28299509
Link:
https://www.unpac.me/results/9bd89b6a-3aaf-4b05-94f1-935eabf380ea/
SH256 hash:
6d986cc1bd9fd02c980515b451b918a00568baea36b0ed00113c3e5f993d99d4
MD5 hash:
64dbafa2a5c3f70fc03dd500da94f1d9
SHA1 hash:
8c97dc1f9dd9357c732e37acb4196b3c6afa3f7a
Link:
https://www.unpac.me/results/9bd89b6a-3aaf-4b05-94f1-935eabf380ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/6d986cc1bd9fd02c980515b451b918a00568baea36b0ed00113c3e5f993d99d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/338248/

Comments