MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d631f6dbf464b2cd73809ebbc09805e8ccc0fdb485b3c06fbbe6ea34a8305c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d631f6dbf464b2cd73809ebbc09805e8ccc0fdb485b3c06fbbe6ea34a8305c0
SHA3-384 hash: a16b467790479edd30900291548d3b560a1994b37c9a563c149f97015cf6924b2f5f93b91728ca9fef1f767efa2fe7a1
SHA1 hash: 883747ec7bb85a97ee825b610e840015d03d312d
MD5 hash: 8f488bf3643183b3e0eddfb0ee888083
humanhash: batman-iowa-rugby-mars
File name:8f488bf3643183b3e0eddfb0ee888083
Download: download sample
Signature GuLoader
Create hunting rule
File size:417'664 bytes
First seen:2023-06-15 05:07:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (525 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 12288:20+FrXbGM2i28hs/ixYNUiUduw5aWZ6Fsq8KQw:20YraPL/4iUduw5Pgyq8Kf
Threatray 282 similar samples on MalwareBazaar
TLSH T15B94125067B6D87BD82149B0D9B782F71935EE49E820570FAB507F0E7933A80CA4E3D5
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-16T07:22:00Z
Valid to:2026-03-15T07:22:00Z
Serial number: 42b7b63f17a433153c4d8e23e149745890d32459
Thumbprint Algorithm:SHA256
Thumbprint: 38122332c2841bc97432449b2a7a99d89de8c3cae59dbe8881501a7e4b7be420
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
8f488bf3643183b3e0eddfb0ee888083
Verdict:
Malicious activity
Analysis date:
2023-06-15 05:10:48 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/9d0913d4-b005-407b-b50b-6746a2d0a01d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/399006/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33929858.3469.32642.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90789/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/648a9cb275931fcf7f14c132/reports/db87bc5e-c0dd-468d-bf43-b190cd55aec6/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9d631f6dbf464b2cd73809ebbc09805e8ccc0fdb485b3c06fbbe6ea34a8305c0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3cc5e8eb-f831-45d6-8830-88997ef4733c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255019
Signature
Antivirus detection for URL or domain
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 888039 Sample: FVGn3CrOf0.exe Startdate: 15/06/2023 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Antivirus detection for URL or domain 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 3 other signatures 2->44 8 FVGn3CrOf0.exe 1 18 2->8         started        process3 file4 30 C:\Users\user\AppData\Roaming\...\Hohe.Met, ASCII 8->30 dropped 50 Suspicious powershell command line found 8->50 12 powershell.exe 10 8->12         started        signatures5 process6 signatures7 52 Very long command line found 12->52 15 powershell.exe 9 12->15         started        18 conhost.exe 12->18         started        process8 signatures9 54 Writes to foreign memory regions 15->54 56 Tries to detect Any.run 15->56 20 ieinstal.exe 3 14 15->20         started        24 ieinstal.exe 15->24         started        26 ieinstal.exe 15->26         started        28 ieinstal.exe 15->28         started        process10 dnsIp11 32 colukas37.ddns.net 194.180.48.191, 2111, 49700 LVLT-10753US Germany 20->32 34 109.206.240.64, 49699, 80 AWMLTNL Germany 20->34 36 geoplugin.net 178.237.33.50, 49701, 80 ATOM86-ASATOM86NL Netherlands 20->36 46 Tries to detect Any.run 20->46 48 Installs a global keyboard hook 20->48 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d631f6dbf464b2cd73809ebbc09805e8ccc0fdb485b3c06fbbe6ea34a8305c0/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2023-06-09 08:29:34 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
16 of 37 (43.24%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tvrr63n7izfszvzybhv3ycmal2gmyd63jbntybx3xzxkgsudaxaa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
1e08bbecaa308b4390f6313410fb0f23c47c989e1a247c21fd0ab26b72f666c6
GuLoader
466a8e22e7c7b6f48e4ad215d7366ef595748a37f4ce4a50449ecc89fbe16d2b
GuLoader
49a73b28d4122d560e987d24674e9e5e0038aa6c56e83e07b43c383b5b29ff44
GuLoader
52b0f189a1e266fd5e8ebbb97d116c47a28842eea388669753657342a9dc4083
GuLoader
69b1f9d8334bb44d7b7f10a9efc31ad30cfe72ded8bd3e4a6da67b71a2bd485d
GuLoader
69c845dfc6e399c55730f8ffe5a7c822f3b36f94cf5905415d8b673e9f391329
GuLoader
ac1f084845ff5e15e2e7748d5ca4ebfc36334b62e02d51d1ddb17c8fcf7bb210
GuLoader
b689885667b1f8a29bafedff5fc69526534732ebb7731d98bbc06f7005b245d5
GuLoader
+ 272 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:lukas-host downloader rat
Link:
https://tria.ge/reports/230615-fsjjkaef86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
colukas37.ddns.net:2111
Unpacked files
SH256 hash:
9d631f6dbf464b2cd73809ebbc09805e8ccc0fdb485b3c06fbbe6ea34a8305c0
MD5 hash:
8f488bf3643183b3e0eddfb0ee888083
SHA1 hash:
883747ec7bb85a97ee825b610e840015d03d312d
Link:
https://www.unpac.me/results/9b07f7ad-1c7d-477a-aafc-029c933e1657/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9d631f6dbf46/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d631f6dbf464b2cd73809ebbc09805e8ccc0fdb485b3c06fbbe6ea34a8305c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 9d631f6dbf464b2cd73809ebbc09805e8ccc0fdb485b3c06fbbe6ea34a8305c0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2661513/
Cape
Cape
https://www.capesandbox.com/analysis/399006/

Comments


Avatar
zbet commented on 2023-06-15 05:07:46 UTC

url : hxxp://109.206.240.64/LUK.exe