MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91adaeeb7ac7733741a68cc0283a10f64403f64d1378558bae2342bec847f8e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91adaeeb7ac7733741a68cc0283a10f64403f64d1378558bae2342bec847f8e5
SHA3-384 hash: 294ee214e2ccd7a939c7a9a647f00b20eac66867adfc2c22609d55298a0e651d8fdf6c7daebb23fce237ea9be8c5a910
SHA1 hash: 362bed3bf9929c41f994f76740dba065b759c9de
MD5 hash: 84a826cd3ec8f67081f51d14b268b95c
humanhash: magnesium-hotel-floor-twenty
File name:84a826cd3ec8f67081f51d14b268b95c.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-05-26 10:58:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e330765c364338084ed512904d9963c (2 x GuLoader)
ssdeep 1536:5J5N95dVlmpesUUnHhPTqoRrDfG6XdMWkcUbTMsE:35bLVlHsUUBruLWCMB
Threatray 1'216 similar samples on MalwareBazaar
TLSH 7AB3F81B79ED7CBADF758FB20830CEA11C22BC3519148B573949B71D6A7329E28B4316
Reporter abuse_ch
Tags:exe GuLoader nVpn RAT RemcosRAT


Avatar
abuse_ch
GuLoader distributing RemcosRAT

RemcosRAT payload URL:
https://drive.google.com/uc?export=download&id=1VLivmY62qlrWug9b1kyAcAe2At7N4IMy

RemcosRAT C2:
copymailduplicate.ddns.net:4445 (91.193.75.82)

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4985/
Detection(s):
Win.Trojan.Fareitvb-7900518-0
Create hunting rule

Win.Malware.Guloader-7900546-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 12:57:15 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
13 of 31 (41.94%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
remcos
Create hunting rule
Similar samples:
1df9aa28e1f0652e0797e7531c2965387107ecb56b2988f260d758a932ce3d1b
GuLoader
487032be06deec0a6b50c6c0464edb67d50f9bb769ea1527969d4b67b83e8733
GuLoader
644aa25d23ed0bde16287cbf053890168f01b13ba8909a1c9b984f8f2f58180f
GuLoader
9ad345199fba200ac03609aa9a93be1c10663b7c2c1f3d0467e747f0f0147caf
GuLoader
a32c37dd601a6fcdd6e622b2c928c7ef7935a77a0df9a2dfb9c7774630dd266e
GuLoader
a7d93e9c9bb80f0f8a271ae4a101f305bac535e197697b35f291794fa83ef538
GuLoader
b05eb1ace6dd219a6e5ea23d25ea88bbd672ad379ac4dcaa935acbfdece37c0b
GuLoader
c689edeb2bea45f5a7e6402ba51dc23e40e6c8b509841f60cb3d7327340b9b60
GuLoader
ca1db184290b274c1f78b091bf019926fa258dd8b1f5bb316a55832aec970338
GuLoader
e138622ca793f4a546496b40dcf406a83aa667d16fa2a29879d8282a39d6e7ff
GuLoader
+ 1'206 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-wytqan5qvx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 91adaeeb7ac7733741a68cc0283a10f64403f64d1378558bae2342bec847f8e5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/368621/
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/4985/

Comments