MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 717bf9daefcb45980ef823bc99518c72b886de52a526a5bc4579a50ff5f9ecb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	717bf9daefcb45980ef823bc99518c72b886de52a526a5bc4579a50ff5f9ecb9
SHA3-384 hash:	a6bfcbea3b29affc688427fe94a4d4c1a64c787651f89de977b3535d55783896efa6ecae12c0cffd6ba65f5efca40449
SHA1 hash:	2ea338f0bf3772c2ac6d8739e71b66209f3eefa9
MD5 hash:	ac104894212fbed897a6e9ce55ab650b
humanhash:	spaghetti-hotel-cola-south
File name:	717bf9daefcb45980ef823bc99518c72b886de52a526a5bc4579a50ff5f9ecb9
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	469'167 bytes
First seen:	2023-10-10 13:35:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep	12288:GC/EgNQMtyEn6YrWHaczvs9FXnVQP2P6iUZtxNdYw:DckdyMzrM/vyciOz
Threatray	1'079 similar samples on MalwareBazaar
TLSH	T1DDA4010BBA1C9B6FD3584AB2793942319788DF6706103886FBC8FD1E297164DBE172D4
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e2ee8a8eb6d8ecf4 (56 x AgentTesla, 39 x RemcosRAT, 38 x GuLoader)
Reporter	adrian__luca
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

286

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

717bf9daefcb45980ef823bc99518c72b886de52a526a5bc4579a50ff5f9ecb9

Verdict:

Malicious activity

Analysis date:

2023-10-10 15:55:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c7faaacd-afaa-474d-a32a-65a2aeb11502

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.UGA.20041.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% subdirectories

Searching for the window

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/717bf9daefcb45980ef823bc99518c72b886de52a526a5bc4579a50ff5f9ecb9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/57646025-c6bc-4324-becc-4e0c660079c6

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1322969

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/717bf9daefcb45980ef823bc99518c72b886de52a526a5bc4579a50ff5f9ecb9/

Threat name:

Win32.Trojan.Makoob

Status:

Malicious

First seen:

2023-09-14 06:05:58 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=of57twxpznczqdxyeo6jsummok4inxssuutklpcfpgsq75pz5s4q._file

Verdict:

malicious

GuLoader

1d03f988e19d2663762d9eda11bce6fc85dedc4bfd488301bd1d76c1a1429ad2

GuLoader

22220e44323b331b37a0576b701085b7c53665aee96c6897920939ceecfcc5ad

GuLoader

23f6c24a5984c1bc1450f2d6eb32f3ece4e52bc275b4e9eea038db9f7f4f7717

GuLoader

38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f

GuLoader

4d688c6baec0d972c248f7747f18dc385e67a0fb2b1a5deb70f324b16220780d

GuLoader

5dd8324382a5bcea5859d89a259fc1fb3623f91fa720bc016b372ef2c87cae0c

GuLoader

a23baf6242f0bb5b11356a4a1edd873856b3839658e0fe2e7d97464b0dd42072

GuLoader

a770fff46977ee8c18165f11b5346157fbd600f7971428edb46ef048ade479b4

GuLoader

f3100e1ff79518aafd23f706e705e0c0639c4d76cb42df14a73268ab78aac4e8

GuLoader

+ 1'069 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader persistence

Link:

https://tria.ge/reports/231010-qv8xcadg7s/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Checks QEMU agent file

Loads dropped DLL

Guloader,Cloudeye

Unpacked files

SH256 hash:

ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

MD5 hash:

0063d48afe5a0cdc02833145667b6641

SHA1 hash:

e7eb614805d183ecb1127c62decb1a6be1b4f7a8

Link:

https://www.unpac.me/results/aaa51edf-92b0-4ce4-bcf4-651e60dda91d/

Parent samples :

5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
e0fb60da371912c158861c9660632d58e45cfcff12351cc9e03f497f319eb5de
904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a

SH256 hash:

717bf9daefcb45980ef823bc99518c72b886de52a526a5bc4579a50ff5f9ecb9

MD5 hash:

ac104894212fbed897a6e9ce55ab650b

SHA1 hash:

2ea338f0bf3772c2ac6d8739e71b66209f3eefa9

Link:

https://www.unpac.me/results/aaa51edf-92b0-4ce4-bcf4-651e60dda91d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/717bf9daefcb45980ef823bc99518c72b886de52a526a5bc4579a50ff5f9ecb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample