MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74c63e265510c6f922ac8fc6e6fb1de2b2077bde8aaa0c274fd3a1fe8f6608b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74c63e265510c6f922ac8fc6e6fb1de2b2077bde8aaa0c274fd3a1fe8f6608b1
SHA3-384 hash: cdba35c80c9e8e23e694df6a60ed25581cd826874651b0e8a0987aea3f89ade6f96b7b350747ea4bfe9ff592aef73866
SHA1 hash: aedef56e119045106e780005432de1ab76d46533
MD5 hash: 6d5d429dde7203819d72c7e0ed55cdbe
humanhash: spaghetti-charlie-bulldog-moon
File name:Ziraat Bankasi Swift Mesaji.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:794'904 bytes
First seen:2022-07-13 06:48:09 UTC
Last seen:2022-07-13 08:06:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f0c714c36e6cc016b3a1f4bc86559e4 (199 x GuLoader, 14 x Formbook, 4 x AgentTesla)
ssdeep 12288:DQL75H9GWej46KkLk/nKIN2TEfIW0U1/XS0lk8l9hUr8BsrUtWAWa:DmdH9B9xKk/yTEWw/Xtjl9heUAAJ
TLSH T1C6F423E23481D777E6728A721D7BD9BD6EB1BE232951A2037780B3AFB8730141957213
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b8b454a060c1b0b2 (6 x GuLoader)
Reporter abuse_ch
Tags:exe geo GuLoader signed TUR ZiraatBank

Code Signing Certificate

Organisation:METEOROLOGIES kamseen TOPSTILLINGS
Issuer:METEOROLOGIES kamseen TOPSTILLINGS
Algorithm:sha256WithRSAEncryption
Valid from:2022-07-12T22:34:59Z
Valid to:2023-07-12T22:34:59Z
Serial number: 1e986c5189038f1e
Thumbprint Algorithm:SHA256
Thumbprint: 73d5af3dc47ec6455590598fb40ff046381602f0f48009a2190dac90d831b716
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/286801/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.1038.17101.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Searching for the window
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
buer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62ce6b1c01fde6ede67f81af/reports/a375af13-9c25-4879-a73f-9d129e74ac3f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9b217deb-a8cc-402f-8606-55bbf2e38fc6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74c63e265510c6f922ac8fc6e6fb1de2b2077bde8aaa0c274fd3a1fe8f6608b1/
Threat name:
Win32.Trojan.Shelsy
Create hunting rule
Status:
Malicious
First seen:
2022-07-13 06:07:18 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
13 of 41 (31.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=otdd4jsvcddpsivmr7don6y54kzao666rkvayj2p2oq75d3gbcyq._file
Verdict:
suspicious
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/220713-hlb71sebe9/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
10675f13abaee592f14382349aa35d82fb52aab4e27eef61d0c83dec1f6b73da
MD5 hash:
5aa38904acdcc21a2fb8a1d30a72d92f
SHA1 hash:
a9ce7d1456698921791db91347dba0489918d70c
Link:
https://www.unpac.me/results/9384bdc2-ed70-465a-a8b1-f40b5e1fef0a/
SH256 hash:
c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917
MD5 hash:
792b6f86e296d3904285b2bf67ccd7e0
SHA1 hash:
966b16f84697552747e0ddd19a4ba8ab5083af31
Link:
https://www.unpac.me/results/9384bdc2-ed70-465a-a8b1-f40b5e1fef0a/
SH256 hash:
87f9833b112def3cd09bb9b37b034db52ee3349fe23d0eb5a3547e3925224ac5
MD5 hash:
ae592b8e8be7c6e588bf4e1f24a627c4
SHA1 hash:
a55ba65ce66478ac12ed70cc4f7dca168160b87d
Link:
https://www.unpac.me/results/9384bdc2-ed70-465a-a8b1-f40b5e1fef0a/
SH256 hash:
6afc379db09413c59646e9ca45ac098b578f4fee6010b716f1e09836979931df
MD5 hash:
dcff8de7950c55510edf7249fecfe57e
SHA1 hash:
332fefb8d064eb262a53749c3e0cf762af894917
Link:
https://www.unpac.me/results/9384bdc2-ed70-465a-a8b1-f40b5e1fef0a/
SH256 hash:
74c63e265510c6f922ac8fc6e6fb1de2b2077bde8aaa0c274fd3a1fe8f6608b1
MD5 hash:
6d5d429dde7203819d72c7e0ed55cdbe
SHA1 hash:
aedef56e119045106e780005432de1ab76d46533
Link:
https://www.unpac.me/results/9384bdc2-ed70-465a-a8b1-f40b5e1fef0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/74c63e265510c6f922ac8fc6e6fb1de2b2077bde8aaa0c274fd3a1fe8f6608b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 74c63e265510c6f922ac8fc6e6fb1de2b2077bde8aaa0c274fd3a1fe8f6608b1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/286801/

Comments