MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75888910c75a9858137089eb35d48b6b1af6d43817e9a1dbb9fbc409fdaad511. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75888910c75a9858137089eb35d48b6b1af6d43817e9a1dbb9fbc409fdaad511
SHA3-384 hash: 17dab10f217e66b80f85d549fc480188c39fb5e83a57c601e1b92bb51d2efb9a686bce3c5d4dcd5a838a42ae871a37e4
SHA1 hash: 98058e52de678575ff2327d129a58313af4a3fc0
MD5 hash: 532e58083cf5638b05f617fcbbb5d63b
humanhash: echo-ack-mars-burger
File name:SecuriteInfo.com.Variant.Razy.845229.13077.24263
Download: download sample
Signature GuLoader
Create hunting rule
File size:106'496 bytes
First seen:2021-02-23 10:48:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fb04c04dc9621084e24b4642ca2fed6 (4 x GuLoader)
ssdeep 1536:3qN/HQiDkZQzBkKgIYNP7dmoK2gKpKeBEYjBqN/HQi:gkZQzB6IY9dEKpKng
Threatray 5'138 similar samples on MalwareBazaar
TLSH 8BA3092BAC5C4887D72D0230D41EA44A4269FC217AE7A59BF005FE3AD9793D1C76933B
Reporter SecuriteInfoCom
Tags:GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Razy.845229.13077.24263.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NanoCore
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/615171
Signature
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356594 Sample: SecuriteInfo.com.Variant.Ra... Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 45 ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu 2->45 53 Multi AV Scanner detection for domain / URL 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 3 other signatures 2->59 9 SecuriteInfo.com.Variant.Razy.845229.13077.exe 1 2->9         started        12 dhcpmon.exe 4 2->12         started        14 RegAsm.exe 4 2->14         started        signatures3 process4 signatures5 61 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 9->61 63 Tries to detect virtualization through RDTSC time measurements 9->63 16 RegAsm.exe 1 20 9->16         started        21 conhost.exe 12->21         started        23 conhost.exe 14->23         started        process6 dnsIp7 41 mtspsmjeli.sch.id 103.150.60.242, 49741, 80 PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID unknown 16->41 43 ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu 10.2.118.40, 6932 unknown unknown 16->43 35 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 16->35 dropped 37 C:\Users\user\AppData\Local\...\tmp167E.tmp, XML 16->37 dropped 39 C:\Program Files (x86)\...\dhcpmon.exe, PE32 16->39 dropped 47 Tries to detect Any.run 16->47 49 Hides threads from debuggers 16->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->51 25 schtasks.exe 1 16->25         started        27 schtasks.exe 1 16->27         started        29 conhost.exe 16->29         started        file8 signatures9 process10 process11 31 conhost.exe 25->31         started        33 conhost.exe 27->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75888910c75a9858137089eb35d48b6b1af6d43817e9a1dbb9fbc409fdaad511/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 09:53:53 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oweiseghlkmfqe3qrhvtlvelnmnpnvbyc7u2dw5z7pcat7nk2uiq._file
Verdict:
unknown
Similar samples:
0074b4e19d6ad55ab6573d7522ead0f75a84b866611cc8133d08b5800e3bb32a
GuLoader
17314d9e48839344dafc7dbdb9af89ad08603a106fb09eda8f74af42dd8a8252
GuLoader
21afff77ea0ce89dca2d925ed0d8b5a61f7ab42ca9aca78019843e9e251bbcb3
GuLoader
2f3135503ed9fb4ed106c98a51770d1ac8824631c02af922d763538a66d32e84
GuLoader
5278046daacc4237354be9a2b1094f6a9467e317b17c959c772ed5a86e25d737
GuLoader
6d0ea7f49d0cfc2e0ee87a860e99381955f73e0b70a294281c213bb9d3e91822
GuLoader
7c38d073b77ff7afc8f65aac812316d0fa9356115f1f3e78aca9fd496d177cad
GuLoader
81f7c328aef1d0b652a4e7b4157b34f2b462ace5c2f2483350b1a5e156ce8adb
GuLoader
82f6755bf6dac43b0082e56d26d5a54d3e5fb9d3c91e18cccdd4756113e3a50c
GuLoader
ed081d99724673a343863138b3eac0fbe402c8ba256cc466c535d3e7133187d1
GuLoader
+ 5'128 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210223-5cfewx1zwe/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
75888910c75a9858137089eb35d48b6b1af6d43817e9a1dbb9fbc409fdaad511
MD5 hash:
532e58083cf5638b05f617fcbbb5d63b
SHA1 hash:
98058e52de678575ff2327d129a58313af4a3fc0
Link:
https://www.unpac.me/results/2b638a54-002f-4fa0-955b-df5a66cb3835/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Vcrypt
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75888910c75a9858137089eb35d48b6b1af6d43817e9a1dbb9fbc409fdaad511

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 75888910c75a9858137089eb35d48b6b1af6d43817e9a1dbb9fbc409fdaad511

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1025163/
  
Delivery method
Distributed via web download

Comments