MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 937c5c7f89f4bc94355b490bc015a240badc8e8f5c291a2dafc5300aaad3892b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 937c5c7f89f4bc94355b490bc015a240badc8e8f5c291a2dafc5300aaad3892b
SHA3-384 hash: 983c2bf19af44ec69b1e7bed62567910b61f2a67fa93f3e071139b5d2707112ecead80e91844fbd76e2d1a253ebc0d38
SHA1 hash: 864c4e41313731a86ab09ddd7954f02be7fe4447
MD5 hash: 2d6850786866c2d901f00cf018e31c13
humanhash: network-bulldog-charlie-minnesota
File name:Kaneshite.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'273'896 bytes
First seen:2023-03-30 12:49:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd1dc23681f44e733e87b20cf5b908b7 (13 x GuLoader, 2 x Loki)
ssdeep 24576:WO/lnSVs+otNj+LAd67jd6rueOCkzrZz/c7BFdxREAs2nhZQHjN/x6a:WunCytNqLI6Xd6ae7khuLd8WhZQHJ/3
Threatray 745 similar samples on MalwareBazaar
TLSH T1564522467F80C573C62216F189B3E3758376AEA51A62065B32E07F2FBD7620294136FD
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter malwarelabnet
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-25T03:04:47Z
Valid to:2026-01-24T03:04:47Z
Serial number: 111b119150b8a94bbb9e8e9da0aa31583be4dfb7
Thumbprint Algorithm:SHA256
Thumbprint: 365cccb83bf2025c493cac65ac050560cadeb740d7cae5edb2d2b0305b772019
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Kaneshite.exe
Verdict:
Malicious activity
Analysis date:
2023-03-30 12:52:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cb752a55-7c80-4f4f-a943-d73e190d29d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378821/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.23112.26193.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/75765/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6425857d8e162174987d8395/reports/152fc20d-03f6-4335-9192-12f0a026594a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/937c5c7f89f4bc94355b490bc015a240badc8e8f5c291a2dafc5300aaad3892b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8b9f950a-b909-491c-a6cb-64c5d757003c
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1205173
Signature
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/937c5c7f89f4bc94355b490bc015a240badc8e8f5c291a2dafc5300aaad3892b/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-03-30 07:06:32 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sn6fy74j6s6jink3jef4afncic5nzduplqurulnpyuyavkwtrevq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ad287dbe151a940761d048d0a6214c15970455280ef7c98c240c223bf0a7a73
GuLoader
19414e87fa7d0c6264b94810039b0465efd408d65efa70f62e9a8ec5ea8f222e
GuLoader
428aee241022499cbd49907635162f116e24792b117490949fa3527dc130b90f
GuLoader
4b01d8e4729b07277f8f71037f9fbda1f8d817d9688850d941e7832727bb0276
GuLoader
95eea6606746af642726f423f651e78b52dc8652033b9ca6439a95248df0fde2
GuLoader
b15e539ba1801af269c976fa743708a0fc474fcdf6ba3a7433a08dfbf9eb1425
GuLoader
b1ce73dac896a841321b1f502bcc32313de930cd0e5561874e51e80dc7cb06cc
GuLoader
cd5a3db769491e5e9b19fe8f2703456f82dbd128babacf54ac1c494587665f72
GuLoader
f51bdb3c0026435904048abffb411be8b57143de59d0e66a3e2dfa3f2e5692ad
GuLoader
fb4c3c803b69b2823f0bb584ef77da38f17eaf18184058249b6dd7664234cb53
GuLoader
+ 735 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader spyware stealer
Link:
https://tria.ge/reports/230330-p2xxzseb51/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Guloader,Cloudeye
Unpacked files
SH256 hash:
ad594dc68518ac0fac6510e880b9510a51141deee394defd12508f34e0b9b144
MD5 hash:
fc8c89912fad3e936294eb62e9256069
SHA1 hash:
cd3fc848caa3f3c2029c2c22137bf1f0e6e9e456
Link:
https://www.unpac.me/results/5ae9b28e-79b0-4b73-b278-65cb1cc8e152/
SH256 hash:
fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
MD5 hash:
4d3b19a81bd51f8ce44b93643a4e3a99
SHA1 hash:
35f8b00e85577b014080df98bd2c378351d9b3e9
Link:
https://www.unpac.me/results/5ae9b28e-79b0-4b73-b278-65cb1cc8e152/
SH256 hash:
937c5c7f89f4bc94355b490bc015a240badc8e8f5c291a2dafc5300aaad3892b
MD5 hash:
2d6850786866c2d901f00cf018e31c13
SHA1 hash:
864c4e41313731a86ab09ddd7954f02be7fe4447
Link:
https://www.unpac.me/results/5ae9b28e-79b0-4b73-b278-65cb1cc8e152/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/937c5c7f89f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/937c5c7f89f4bc94355b490bc015a240badc8e8f5c291a2dafc5300aaad3892b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/378821/

Comments