MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83abc3d26ce461e8fbedade06fb4cdc677e24696cca810303ff44f51c53d71e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83abc3d26ce461e8fbedade06fb4cdc677e24696cca810303ff44f51c53d71e0
SHA3-384 hash: 68e8026e0c00ea8e9b1f682302886b602f825254a08d6a52692032417cc29057c80113758e9af87b914afa67636e6a89
SHA1 hash: 73a1b855afa51f121c212552b56b4e617b93ba60
MD5 hash: 78d368e75f05884ee1bc41eaae669a5d
humanhash: east-minnesota-alabama-romeo
File name:SecuriteInfo.com.Trojan.GenericKD.37054791.25136.31046
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2021-06-07 18:38:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 20511f60b3c62ae145d60c4c066b22a5 (3 x GuLoader, 1 x RemcosRAT)
ssdeep 3072:dSMD2wNud50xWqEfGBpQ2JyB92mTZP9dsTPElQXAKY3ZHduauVZ/71:8Maz50xWqEfGBpQ2JyB92mTZP9dsLdVx
Threatray 1'773 similar samples on MalwareBazaar
TLSH 6DB30943DA2A2938CD869DF03427F9113325FC21422B1E1F7154DBFD6BA1A63BA99707
Reporter SecuriteInfoCom
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fc19e76b2eb0854eaa915c9be0fc77cf
Verdict:
Malicious activity
Analysis date:
2021-06-07 01:21:05 UTC
Tags:
exploit CVE-2017-11882 opendir loader
Link:
https://app.any.run/tasks/daed5500-167d-4d45-9685-b3a80cb1215f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165084/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37054791.25136.31046.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows directory
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/798308
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83abc3d26ce461e8fbedade06fb4cdc677e24696cca810303ff44f51c53d71e0/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 13:09:21 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qov4hutm4rq6r67nvxqg7ngnyz36eruwzsubamb76rhvdrj5ohqa._file
Verdict:
suspicious
Similar samples:
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083
GuLoader
1bb72973618ae46b0c84cc3d8f7316fd2176cd7c3dc3e085a1e627dd91c8d3bf
GuLoader
250d4d5045162c39e3c1b9d637e0188089299a04106202afdf1f4826d24e27f4
GuLoader
26429a83373a49db5ad7801f324d8f1ce0aafd687ee405a44cb8d6ebebf65c15
GuLoader
815b5f62adb35607df07859bfd1b75763bf525643e7f21d5a0f8803dd0e86be4
GuLoader
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
GuLoader
9e3fdcc393fc96ce693041533b4ecc9e43d57ad1bca40c99d07713dc90d39bd4
GuLoader
a5fb63409bbc68224d3e2be7511cc6a49fd205892813890c3a76feeabd5a5e56
GuLoader
c074c1fdfaa14d405a22ee3f4e423fd2307c9a3cf6cb1670e701f8d3eceeedab
GuLoader
c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992
GuLoader
+ 1'763 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:xp_2021 persistence rat
Link:
https://tria.ge/reports/210607-2zs8b43wgx/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
wedsazxcvfghyuiokjhbnvfcdsaweyplmhbvrtud.ydns.eu:1996
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/01026cfd-5a70-4288-b7f9-d85a8c7eb2ba/
SH256 hash:
83abc3d26ce461e8fbedade06fb4cdc677e24696cca810303ff44f51c53d71e0
MD5 hash:
78d368e75f05884ee1bc41eaae669a5d
SHA1 hash:
73a1b855afa51f121c212552b56b4e617b93ba60
Link:
https://www.unpac.me/results/01026cfd-5a70-4288-b7f9-d85a8c7eb2ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/83abc3d26ce461e8fbedade06fb4cdc677e24696cca810303ff44f51c53d71e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 83abc3d26ce461e8fbedade06fb4cdc677e24696cca810303ff44f51c53d71e0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1336709/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165084/

Comments