MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97fee7e2c533d7ad3854cd92d9d2dbcddeb3b08e3e0cb14214b431d3970cda45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97fee7e2c533d7ad3854cd92d9d2dbcddeb3b08e3e0cb14214b431d3970cda45
SHA3-384 hash: 07a0fdd00dd6b136f30f56126de293097b33fd92cce0dc6e9f82089867d88c37f003b6b0fc6f268e09718308993effd7
SHA1 hash: 479858ef740172cb3791527a9c9d0da76eec3af4
MD5 hash: 0153ae8cf4b1f546721332b5cb3f973c
humanhash: timing-cup-montana-fish
File name:KHAWATMI CO.IMPORT & EXPORT.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:147'456 bytes
First seen:2021-08-03 05:47:10 UTC
Last seen:2021-08-03 07:27:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fef384fc3a66a559dff455f07d497ca0 (5 x GuLoader)
ssdeep 1536:EtVr5LC183SqwDIse4yckz/50ZG8tnSSyeMn5iXDjTf8+Oh1K:E/5CIRwDdeZcFYeMn5iXDj5Oh1K
Threatray 7'004 similar samples on MalwareBazaar
TLSH T1A9E35F7F84ECD166E315F8F46827E4B5120434CBAB0E166F5448B6BCF6279912C91E3B
dhash icon d4eac8cccce8e8d4 (7 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
4
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KHAWATMI CO.IMPORT & EXPORT.exe
Verdict:
No threats detected
Analysis date:
2021-08-03 05:49:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cfae53ba-7b72-4674-83b9-94dc0dcbef24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175923/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c437cde-be48-4752-83a2-1d91f51d9c84
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825868
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
GuLoader behavior detected
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/97fee7e2c533d7ad3854cd92d9d2dbcddeb3b08e3e0cb14214b431d3970cda45/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 05:04:30 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s77opywfgpl22ocuzwjntuw3zxplhmeohyglcqquwqy5hfym3jcq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
5c4943289a1959b03d31592b147472be4d31a2637316b7bbe102412082619502
GuLoader
6a1be88d091d3365e9343a762f8ef32e88c6c0953efd09b7fdcc6bbf514b2ebd
GuLoader
788af4037d2336793213e33ba539a4b8f3bed5507f660f63bcfc40e1cc67863e
GuLoader
7c72d2e12ed2db6353a373d16c07eaf27fbf110c75a2dc7535ec7d624cb42012
GuLoader
821bc12d61a9ad2698823b6f54bbba6b8e9fba81a167a438f7da728d1dcd381d
GuLoader
8682df8104337b21a5ec19279b4f7c51a199e53dbb77b5d5a73ea8eeda545ba0
GuLoader
97e8e53c9ad758050c08da0cf14f7024dba1d7710b0f612f13d2b5a458dd13bb
GuLoader
b59374ff4efaa214c04a353aa3cf500ca22c43b63f27d0c3fb0495bd942ac734
GuLoader
c03b5d783971f4ab3ae3dac1b9576acfc0334cd919ffd74bb6ac01cbef2b128d
GuLoader
e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2
GuLoader
+ 6'994 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210803-831ssrc2ys/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Guloader,Cloudeye
Unpacked files
SH256 hash:
97fee7e2c533d7ad3854cd92d9d2dbcddeb3b08e3e0cb14214b431d3970cda45
MD5 hash:
0153ae8cf4b1f546721332b5cb3f973c
SHA1 hash:
479858ef740172cb3791527a9c9d0da76eec3af4
Link:
https://www.unpac.me/results/c2811297-ec17-440f-8b9e-3ae307596c15/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97fee7e2c533d7ad3854cd92d9d2dbcddeb3b08e3e0cb14214b431d3970cda45

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175923/

Comments