MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91db926d13bb0137347991e30a1ccd093e535ff375e102bfd44d9aae15650d21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91db926d13bb0137347991e30a1ccd093e535ff375e102bfd44d9aae15650d21
SHA3-384 hash: 450bc14617e7069bc8410f9fa742a1b10344daa82650270a39ae80fdaddaade465622f07fa478d0b4ffc154ce7f2d5a9
SHA1 hash: e833264f87c3afe871a2ac3ccd78fc77f5bf2965
MD5 hash: 1dabdd40fc265a39611acf8c31fb19db
humanhash: comet-victor-uranus-washington
File name:1dabdd40fc265a39611acf8c31fb19db.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:102'400 bytes
First seen:2021-02-15 08:04:56 UTC
Last seen:2021-02-15 09:54:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 28cfb83efbb0b6bd426b66f31651da5c (16 x GuLoader, 1 x RemcosRAT)
ssdeep 1536:9qWp0jUkHuln1NyXwb/Gr3t65UtfssbkWh7A:9/2jzHi/Gmg0ytfu
Threatray 4'664 similar samples on MalwareBazaar
TLSH 68A3F932FA51DCB9C65580754452FBEC0A23BF328054AD1FB98CBA5E5E377C2A450D2B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
http://185.161.211.58/Mekino_nanocore_rIfno101.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1dabdd40fc265a39611acf8c31fb19db.exe
Verdict:
No threats detected
Analysis date:
2021-02-15 08:11:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e7b05878-4645-4dcc-a30f-f72afea02883

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117159/
Detection(s):
SecuriteInfo.com.Artemis1DABDD40FC26.6958.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/607880
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91db926d13bb0137347991e30a1ccd093e535ff375e102bfd44d9aae15650d21/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2021-02-15 05:35:02 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=shnze3itxmatondzshrquhgnbe7fgx7toxqqfp6ujwnk4flfbuqq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0f73e9d58b85ae9061722f0720ab2f76f9884042b9ac260e5c102564d4572004
GuLoader
1030855f4fc2a6abc876f5528638a6bc86b4380f879ba6545b99460387e2d8d9
GuLoader
1b9a71edba9009792694340883c03331b996ec6c63b3a41c6850dcb6d4f9c4fa
GuLoader
233e70b105e8fe2f1e9a41b68f380359c8666cea3d9d587ec2ec823cdda2a330
GuLoader
2871ff5b986f5c582a3468cf2a6210dad8216a164b0affd7c6b11e8ef69761ec
GuLoader
2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3
GuLoader
5abc66f1c2e2fb7c2d74dbaa17cfa47b1a4f4fc576ef7c842bc1de10bf236e5e
GuLoader
5c8356172fa558970b2136a5284da800910c0fef74a75a7eb160874ed3edeec2
GuLoader
6912ec55af4079f5ed9b08502d37c0164e833a05c5ed275c6328e745016ec3e8
GuLoader
d194034aea6b209fdb3c39cbe12aa0ce42143ba06e855df83b1f8848f1738acf
GuLoader
+ 4'654 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210215-cr99kf1x6j/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
91db926d13bb0137347991e30a1ccd093e535ff375e102bfd44d9aae15650d21
MD5 hash:
1dabdd40fc265a39611acf8c31fb19db
SHA1 hash:
e833264f87c3afe871a2ac3ccd78fc77f5bf2965
Link:
https://www.unpac.me/results/e161df78-43e0-4bb2-a4d9-b95ec438b0d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91db926d13bb0137347991e30a1ccd093e535ff375e102bfd44d9aae15650d21

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 91db926d13bb0137347991e30a1ccd093e535ff375e102bfd44d9aae15650d21

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1010799/
  
URLhaus
https://urlhaus.abuse.ch/url/995741/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117159/

Comments