MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8115607710c35c78eda8dd16d73cab92e2c857d8c91eb1422fcc1b3f06835a4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8115607710c35c78eda8dd16d73cab92e2c857d8c91eb1422fcc1b3f06835a4a
SHA3-384 hash: 4337389e8f3b8f024a0d94e7a67fdffe9f647101804fda6320ec4045e7c3b48a03b92bd48457faaf6604724144a3fbc1
SHA1 hash: ea748baebe70d7c6d3da9d1a2a34b76051425962
MD5 hash: 853744502b68e50e6cbaf81ffb3f5cc0
humanhash: lactose-helium-maine-gee
File name:SecuriteInfo.com.Trojan.GenericKD.46442270.25635.17664
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2021-06-07 18:38:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 20511f60b3c62ae145d60c4c066b22a5 (3 x GuLoader, 1 x RemcosRAT)
ssdeep 3072:BCCFP2asIcR50gY4K+xWqEfGBpQ2JyB92mTZP9dsodxlxXuWcwZdZywBMxO8NJ:B3Bry+gY4DxWqEfGBpQ2JyB92mTZP9d0
Threatray 1'773 similar samples on MalwareBazaar
TLSH FEB3F753DB161938DD952EF0342AF6117326FC11012B2E2F7148DEF92B72663B5AA70B
Reporter SecuriteInfoCom
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKD.46442270.25635.17664
Verdict:
Malicious activity
Analysis date:
2021-06-07 18:41:35 UTC
Tags:
trojan rat remcos keylogger
Link:
https://app.any.run/tasks/16a0269b-5daa-4dc2-bd18-23909fe03efd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165088/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46442270.25635.17664.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows directory
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/798309
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430707 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 07/06/2021 Architecture: WINDOWS Score: 96 63 Found malware configuration 2->63 65 Yara detected GuLoader 2->65 67 Yara detected Remcos RAT 2->67 69 3 other signatures 2->69 10 SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 2 2->10         started        13 win.exe 1 2->13         started        15 win.exe 1 2->15         started        process3 signatures4 79 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->79 81 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->81 83 Tries to detect Any.run 10->83 85 Tries to detect virtualization through RDTSC time measurements 10->85 17 SecuriteInfo.com.Trojan.GenericKD.46442270.25635.exe 4 10 10->17         started        22 backgroundTaskHost.exe 22 10 10->22         started        87 Hides threads from debuggers 13->87 24 win.exe 6 13->24         started        26 win.exe 6 15->26         started        process5 dnsIp6 47 ztechinternational.com 192.185.113.219, 49732, 49753, 49754 UNIFIEDLAYER-AS-1US United States 17->47 41 C:\Users\user\AppData\Roaming\win.exe, PE32 17->41 dropped 43 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 17->43 dropped 45 C:\Users\user\AppData\Local\...\install.vbs, data 17->45 dropped 71 Tries to detect Any.run 17->71 73 Hides threads from debuggers 17->73 28 wscript.exe 1 17->28         started        file7 signatures8 process9 process10 30 cmd.exe 1 28->30         started        process11 32 win.exe 1 30->32         started        35 conhost.exe 30->35         started        signatures12 55 Contains functionality to detect hardware virtualization (CPUID execution measurement) 32->55 57 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 32->57 59 Tries to detect Any.run 32->59 61 2 other signatures 32->61 37 win.exe 2 7 32->37         started        process13 dnsIp14 49 ztechinternational.com 37->49 51 hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu 172.94.125.152, 2024 M247GB United States 37->51 53 192.168.2.1 unknown unknown 37->53 75 Tries to detect Any.run 37->75 77 Hides threads from debuggers 37->77 signatures15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8115607710c35c78eda8dd16d73cab92e2c857d8c91eb1422fcc1b3f06835a4a/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 04:28:37 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qekwa5yqynohr3ni3ulnopflslrmqv6yzeplcqrpzqnt6budljfa._file
Verdict:
suspicious
Similar samples:
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083
GuLoader
1bb72973618ae46b0c84cc3d8f7316fd2176cd7c3dc3e085a1e627dd91c8d3bf
GuLoader
26429a83373a49db5ad7801f324d8f1ce0aafd687ee405a44cb8d6ebebf65c15
GuLoader
815b5f62adb35607df07859bfd1b75763bf525643e7f21d5a0f8803dd0e86be4
GuLoader
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
GuLoader
9e3fdcc393fc96ce693041533b4ecc9e43d57ad1bca40c99d07713dc90d39bd4
GuLoader
a5fb63409bbc68224d3e2be7511cc6a49fd205892813890c3a76feeabd5a5e56
GuLoader
c074c1fdfaa14d405a22ee3f4e423fd2307c9a3cf6cb1670e701f8d3eceeedab
GuLoader
c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992
GuLoader
d9646a5d9e2ac0eb2a28dfd33d900d0b7559d4879854fc454c74ab9f59ea934f
GuLoader
+ 1'763 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:jice_2021 persistence rat
Link:
https://tria.ge/reports/210607-4l69vhj4sn/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu:2024
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/0d7a27a9-6ef1-4b78-a040-b175b8a78843/
SH256 hash:
8115607710c35c78eda8dd16d73cab92e2c857d8c91eb1422fcc1b3f06835a4a
MD5 hash:
853744502b68e50e6cbaf81ffb3f5cc0
SHA1 hash:
ea748baebe70d7c6d3da9d1a2a34b76051425962
Link:
https://www.unpac.me/results/0d7a27a9-6ef1-4b78-a040-b175b8a78843/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8115607710c35c78eda8dd16d73cab92e2c857d8c91eb1422fcc1b3f06835a4a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 8115607710c35c78eda8dd16d73cab92e2c857d8c91eb1422fcc1b3f06835a4a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1336717/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165088/

Comments