MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ec684964e715bd7b62ec19904871853f5be9bf40dcd835c230ced852f24cc34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ec684964e715bd7b62ec19904871853f5be9bf40dcd835c230ced852f24cc34
SHA3-384 hash: 22f43b20fc8b21e4c48dbcd727db730f68d60981340a1757adf4af469d793d6b6466043cad7c9c0bcb6290a197ea8d1a
SHA1 hash: f7ac5ccce128d5c9816842bf070f3b3d043e9efc
MD5 hash: 17ace7294e391959675a0d5dcf8116da
humanhash: arkansas-arizona-eight-purple
File name:SecuriteInfo.com.Win32.Trojan-gen.5673
Download: download sample
Signature GuLoader
Create hunting rule
File size:354'992 bytes
First seen:2022-09-07 20:30:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 176ce6397deb91dca8c8158bf86c99a0 (16 x GuLoader, 4 x Formbook, 3 x Loki)
ssdeep 6144:B/c/43AbmhXUQirdrt9ENYoTvGfKPGneuavVVSBjz6znUp2UQLK9Cdn1EokmBw7v:BR37XUTrdp9SYYOfKeneuavVMyUjEf12
Threatray 14'133 similar samples on MalwareBazaar
TLSH T194742294FFD0C8B9D9A70274B1398F471AF67B9B90152327FB30B9867D22342560D366
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0d2ccc8c0f0f4f0 (2 x GuLoader, 1 x Loki)
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Fyrende Guyline Differentialligningssystemers
Issuer:Fyrende Guyline Differentialligningssystemers
Algorithm:sha256WithRSAEncryption
Valid from:2021-11-25T16:13:19Z
Valid to:2024-11-24T16:13:19Z
Serial number: 5b733613fa8990f7
Thumbprint Algorithm:SHA256
Thumbprint: fa2260b8b91cb9d46652bcd9574c447cffa35080caf25a0ef81c19218c00daa2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
472
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.Trojan-gen.5673
Verdict:
Malicious activity
Analysis date:
2022-09-07 20:33:17 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/ec31423d-0fe2-45e2-a53c-695ce1113ad9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308582/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.5673.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36978/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6318ffde20a1e05a51a9aaa2/reports/b0ddcdad-8653-4535-a812-59c398cb5f27/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7acec9d5-6411-44db-8f1d-07f7cf39738a
Result
Threat name:
GuLoader, Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1066753
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ec684964e715bd7b62ec19904871853f5be9bf40dcd835c230ced852f24cc34/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 14:13:28 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3dijfsoofn5pnroygmqjbyykp235g7ubxgygxbdbtwyklzezq2a._file
Verdict:
unknown
Similar samples:
2a6ce3844cb0426fefb02d57bbb8eab576d0f089231c61aa1293cf0028d1db85
GuLoader
493c63489f594c10e1f5aace2dd833f3fddaac2800d3603498d2b4abe4bd7e0c
GuLoader
4c72a5eff108b8b4d7789cd3cf92969a7357c6d5c6ecccfb1aa26f1e8f6ecb42
GuLoader
8f9cf775cd2f30283dac9c8441e6787000ba95706d467b5199a00b3aaa213ea5
GuLoader
90a23ff30cf40dbf180e2ca98360bbcecaf1a736f7bb118efe7fbff2db7dc82c
GuLoader
a1a380c16c8b853cc0b4825af9287430debc0ddaafd5f6ac5633ad6341dfb13c
GuLoader
bc25deacda2e313aef6e1bc19940cbafdc8e881dd00f5b7f9dd1b57c27fd3795
GuLoader
bc6bb84d6521d6dacbb323108af50cc6534b2ba88c6257f38e06fa4dc0d5d9d0
GuLoader
daf4c0820c45f6be84cf248504e10bfee063ea6fc8de3b397adaa6682e4bb610
GuLoader
f404a5d8e7a6622e073a2a596e728cb5be383baa2df71924d116db5ed2fa68ee
GuLoader
+ 14'123 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:lokibot collection discovery downloader spyware stealer trojan
Link:
https://tria.ge/reports/220908-fwslmsdgb6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Guloader,Cloudeye
Lokibot
Unpacked files
SH256 hash:
6b6c63505ac093672cdc062ea23ea8fbb263204c9591c936dda896cba2c56504
MD5 hash:
499788d1d4b70ea3499b6411ef5aca0c
SHA1 hash:
db7274f0c3beea8a2ed7df7fe3006b1ec965d13c
Link:
https://www.unpac.me/results/5a38a86f-0b41-4246-8ba2-bcd119bb1bfe/
SH256 hash:
1624d9ad8b2e2658af224691263f64388ba3a997efe80011889e3c35237ce4c1
MD5 hash:
6c38da8922cc37b4bbb77de4a63ad843
SHA1 hash:
4e0533fd11df8bddbd543ed58df7b6060d9f4631
Link:
https://www.unpac.me/results/5a38a86f-0b41-4246-8ba2-bcd119bb1bfe/
SH256 hash:
6ec684964e715bd7b62ec19904871853f5be9bf40dcd835c230ced852f24cc34
MD5 hash:
17ace7294e391959675a0d5dcf8116da
SHA1 hash:
f7ac5ccce128d5c9816842bf070f3b3d043e9efc
Link:
https://www.unpac.me/results/5a38a86f-0b41-4246-8ba2-bcd119bb1bfe/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6ec684964e71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/6ec684964e715bd7b62ec19904871853f5be9bf40dcd835c230ced852f24cc34

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308582/

Comments