MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
SHA3-384 hash: b0806b2110ccb3346dbe0a420b32ded200f5d256c2737c7e7716893713461914727363bfb0b9f86d5956159382b88b4d
SHA1 hash: 760a5f2a2bf97dd17451590085cc9ffa1afc3e5d
MD5 hash: b3785f9036e75cc79819a742b1403924
humanhash: illinois-georgia-snake-tango
File name:b3785f9036e75cc79819a742b1403924.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:332'024 bytes
First seen:2023-12-05 07:08:00 UTC
Last seen:2023-12-05 08:29:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 6144:yjpfaQXZqS28nzfxK5y0LcJE6exF35RzxL6RfPXUMQQi96KtBzo8TVUHP:+S2ZqP8jgjgJC3363UMAPB2
Threatray 108 similar samples on MalwareBazaar
TLSH T16B64238329E19047EF8152369BB7A650FBF6BA754802578B73A04FF5DC327C29A01213
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Issuably
Issuer:Issuably
Algorithm:sha256WithRSAEncryption
Valid from:2023-09-29T02:51:57Z
Valid to:2026-09-28T02:51:57Z
Serial number: 4f572a75cb22e0474a8b5d75096ab0dec918030c
Thumbprint Algorithm:SHA256
Thumbprint: db462020abd854ac4eb91475186aeb7e17e76e6b410d2ed28310fece4e19e69e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
b3785f9036e75cc79819a742b1403924.exe
Verdict:
Malicious activity
Analysis date:
2023-12-05 07:13:54 UTC
Tags:
guloader loader trojan rat remcos keylogger
Link:
https://app.any.run/tasks/eb5aa304-7a67-435f-8741-d398e741c8ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462522/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.21658.14324.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/656ecc56da3178d99cd80d4e/reports/6f600a81-e38f-4e46-8ff7-9223efda73ed/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08a19d4f-740e-4556-8007-02440cafbdaa
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353742
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Remcos
Snort IDS alert for network traffic
Submitted sample is a known malware sample
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-29 05:38:34 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
10 of 23 (43.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6wrqpbrs5s27ocvnlbo2uene2d4qw2dwcci2ji3q7w36atz7olq._file
Verdict:
unknown
Similar samples:
20386f6d4e80e1f8ab6b7b32ada778e092c30096cdffdeeaf9a120274855ace2
GuLoader
2489ed4ad13317146172de6a5c704cc6897ed228f10107c9ec90a7eb142cf84a
GuLoader
285433538c2f985909c0037d5bef1b84e03cd7375989ba3660ff571746ca3f2c
GuLoader
7c9e88afcdeebca3c1f07c6a2c571d2fd51260c6dba7fdf0d2d10999ba23836d
GuLoader
8a0874a8540772c03d595653af7bd80011589d4944705541c4c5a60c11f27b1a
GuLoader
8d4b6402a6c425fd43bcafdcdf6e08033daef3980e25fe7edf457d030736f602
GuLoader
d05840831193582f5b1c4dafd24f629ef97b6d030bf52c2ff857b2488f9988f5
GuLoader
f7d5f219270af7750ec88e6bc13add921895d7bca13c58f596cfe86946ffae61
GuLoader
fa71bbc6871f13271d6fae0f9a16dcb44961e7c9730baa8efb86999f06ea7105
GuLoader
fd087e17a8ade4ce303d86d6ebbf5b5fec4e8eae903ffea3787bb5384c1c3841
GuLoader
+ 98 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231205-hx8elaaa45/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9
MD5 hash:
b38561661a7164e3bbb04edc3718fe89
SHA1 hash:
f13c873c8db121ba21244b1e9a457204360d543f
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/a44b2211-f11b-4c83-a056-9f18a17b331e/
Parent samples :
99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
SH256 hash:
bf0cf3990c6c23dd91ec21071c31537f36355b6d6900358e1536b9a377427619
MD5 hash:
26fc881f84b7f9081cf6b58ab8f9ec08
SHA1 hash:
c4424b9a716392228d55f7d067592d77e9d1b5d2
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/a44b2211-f11b-4c83-a056-9f18a17b331e/
Parent samples :
99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
SH256 hash:
42da78cbeb8edc7ff9ffddf44d09714118bd8dc70a32b101879ad470d527173a
MD5 hash:
438effb4929530a9028e7755030096ba
SHA1 hash:
79bb23072b4b570027db7908afdcfb5097d355ea
Link:
https://www.unpac.me/results/a44b2211-f11b-4c83-a056-9f18a17b331e/
SH256 hash:
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
MD5 hash:
b3785f9036e75cc79819a742b1403924
SHA1 hash:
760a5f2a2bf97dd17451590085cc9ffa1afc3e5d
Link:
https://www.unpac.me/results/a44b2211-f11b-4c83-a056-9f18a17b331e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/87ad183c3197/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/462522/

Comments