MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fe5339787d8f43616b237184b590f5eddd691221bebd67f3847a9c1bb510417. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	6fe5339787d8f43616b237184b590f5eddd691221bebd67f3847a9c1bb510417
SHA3-384 hash:	3fdc6b7269c5f2f53e0efdfc79816cfb69ec1b6215bcbe411065c7c2bc7437aa5e0b4dd77b9c46ab3a9d17d12b63b0fb
SHA1 hash:	d22d2953d59088c73b4287f58523e030d6113f68
MD5 hash:	1580f84c43a5fbacb20571df00898f18
humanhash:	princess-six-triple-video
File name:	shipping documents.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	352'040 bytes
First seen:	2022-02-10 13:35:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	6144:5bE/HUK57mgRKuRA4T7W/Ia12YeoTjiX1Vvoi652gDf4lDJw58rvGz5bP1D+:5b+57rKUTS/bpvCX1sSlGKvGt71D+
Threatray	1'550 similar samples on MalwareBazaar
TLSH	T1EA741202FA208427F47A0AB105BBBA6B87FD982056608F275B90D64C7D63B415E4EFD7
File icon (PE):
dhash icon	bb3bf39a9ed9e6b2 (2 x GuLoader, 1 x ZLoader)
Reporter	GovCERT_CH
Tags:	exe GuLoader signed Vildmndene4

Code Signing Certificate

Organisation:	Vildmndene4
Issuer:	Vildmndene4
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-02-10T11:03:06Z
Valid to:	2023-02-10T11:03:06Z
Serial number:	00
Intelligence:	325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	92fd069030bb25ae4d9bc54a63274049a3c165a39c0778a77c08670af9683313
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

313

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/240645/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a file

DNS request

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/620514c8289e2f3e4fbc2b56/reports/a5ccaa63-3bd4-448e-a7d7-ee3c986af890/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7736d230-ebf0-4882-baf9-963077faf24d

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/937646

Signature

Executable has a suspicious name (potential lure to open the executable)

Found PHP interpreter

Initial sample is a PE file and has a suspicious name

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6fe5339787d8f43616b237184b590f5eddd691221bebd67f3847a9c1bb510417/

Threat name:

Win32.Downloader.GuLoader

Status:

Malicious

First seen:

2022-02-10 13:36:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 28 (42.86%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n7sthf4h3d2dmfvsg4mewwipl3o5nejcdpv5m7zyi6u4do2raqlq._file

Verdict:

suspicious

Label(s):

cloudeye

GuLoader

10f957f6ae25382ddca0fc6fbd364f20d6e4cfa2f49728167bc1504cd3be0c46

GuLoader

4959de8067a62478d5192edb0c7822484ea3f75c643100b4c73b0165eadd8911

GuLoader

4fa28556557b228a0cabb6a51597217e09afdf58a140b1181f0bd8325e6e4d0f

GuLoader

7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347

GuLoader

7916f9aeaf36a8fec95e5a5cb7372f509e6597d3b8648a636b425f382e6993f8

GuLoader

c5072b4120ac9daa3dc0e000cce9e6d6e3a1ca01fed779e0b43d877a744409cd

GuLoader

c5c0fbca778f53dc085d84ad3f038e4a20bce7add5f07012594194bc3bca522a

GuLoader

+ 1'540 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/220210-qv874sghd4/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Enumerates physical storage devices

Drops file in Windows directory

Loads dropped DLL

Guloader,Cloudeye

Unpacked files

SH256 hash:

8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

MD5 hash:

cff85c549d536f651d4fb8387f1976f2

SHA1 hash:

d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

Link:

https://www.unpac.me/results/e05fe0d8-1568-42b0-9cce-8109cc55a833/

SH256 hash:

6fe5339787d8f43616b237184b590f5eddd691221bebd67f3847a9c1bb510417

MD5 hash:

1580f84c43a5fbacb20571df00898f18

SHA1 hash:

d22d2953d59088c73b4287f58523e030d6113f68

Link:

https://www.unpac.me/results/e05fe0d8-1568-42b0-9cce-8109cc55a833/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

exe 6fe5339787d8f43616b237184b590f5eddd691221bebd67f3847a9c1bb510417

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/240645/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample