MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 804257e2a2990868ba42413a9e115971317e5a3d80b13ae9526dabd277a49040. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 804257e2a2990868ba42413a9e115971317e5a3d80b13ae9526dabd277a49040
SHA3-384 hash: 6dbae8174ec8804468bb086f16f9ad8a41fe15cf424d7dfa04d78d0a7daa792272f5d210b3733ad83e56041fae71b924
SHA1 hash: 88046c0d95c6c17a8cad75e6eb27318e4f4f6e3d
MD5 hash: 627a163722a92810148229a71137b803
humanhash: connecticut-ceiling-skylark-finch
File name:swift.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:57'344 bytes
First seen:2020-11-02 14:44:57 UTC
Last seen:2020-11-02 17:02:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7890f146edeaeb8ae782387358143c21 (4 x GuLoader)
ssdeep 384:1Ukmy4Gh/zJ6mTOyQKdR3MnnceJLL++yZf2OwXq2:1UDGh/16sDR8nnZF++cR5
Threatray 3'029 similar samples on MalwareBazaar
TLSH 8643F555E5EA54F4DF8B4A721B2DC7BDC8D33D9042A17B02BA187FAD3A742620C9432D
Reporter James_inthe_box
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81823/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Trojan.qm.23628.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/518240
Signature
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/804257e2a2990868ba42413a9e115971317e5a3d80b13ae9526dabd277a49040/
Threat name:
Win32.Dropper.OverJoiner
Create hunting rule
Status:
Malicious
First seen:
2020-11-02 07:17:02 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 29 (82.76%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbbfpyvcteegroscie5j4ekzoeyx4wr5qcytv2ksnwv5e55esbaa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
2c80924676beb57ffb753a576380eed1ec48e265a7843a52b08664463d890b61
GuLoader
30834a0c650c7adf3edeb214c99469f0f227e4f04a7fd1ab9dbc37960fce9658
GuLoader
4320e2bf2bc6115ae79a52777bdd9aef62db691a756640f9c7fa6e8372e46193
GuLoader
46ea1705549840fd45e067930511c81a0b8979698f98e4b170b9a93b27a6ed0a
GuLoader
541c870536f63dd8b9eb7406fec6031505c59f5c21c8a6f581e5b29349a4a92b
GuLoader
6964c8791bbf63ce0cf1dac7e62486fd3398d16c72774904fd3a7ca4f3957fff
GuLoader
a0a84ef378c8199a1b4511396d185b39d2dca86ffc608144f9d12f61d7d48cfd
GuLoader
a9e51c077a3cb18a4fbb72e9a01bdbbeac7f78da7eb0462a6c191f5956ae83a1
GuLoader
c38dbdd341beb6f537971c9b0d98083ac08b59517052052b85d9368f85f63936
GuLoader
e3bb363542c6d38bc7cf43863d0247e9e9c96c5176f4c0cf4bbd3bbe2afbd31e
GuLoader
+ 3'019 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201102-65yhb7b5da/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
804257e2a2990868ba42413a9e115971317e5a3d80b13ae9526dabd277a49040
MD5 hash:
627a163722a92810148229a71137b803
SHA1 hash:
88046c0d95c6c17a8cad75e6eb27318e4f4f6e3d
Link:
https://www.unpac.me/results/00ad9c1f-02eb-4e3c-84a6-f5446edf9cea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/804257e2a2990868ba42413a9e115971317e5a3d80b13ae9526dabd277a49040

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/81823/

Comments