MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9eaaa51cdaaead40d21f14ead0122b0e9862326895d672fa803d2c6fad981602. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9eaaa51cdaaead40d21f14ead0122b0e9862326895d672fa803d2c6fad981602
SHA3-384 hash: 1618922ef0cac360d379e3df6bfbaedcf2cc20c4402f7bec6a4150b2c85489e05a0758b367f3e6df5489b5a023c6ecba
SHA1 hash: 1ed68eedb0e882a36fdf7f518e620c41843f7966
MD5 hash: 08da1f7e1e3464753d7f705d2767771b
humanhash: berlin-steak-johnny-three
File name:MT103 SWIFT COPY TT.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:102'400 bytes
First seen:2021-03-04 09:26:22 UTC
Last seen:2021-03-04 11:06:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 06b79053e2b8e3ae2f454e15c98ad6b1 (4 x GuLoader, 1 x RemcosRAT)
ssdeep 768:E/pKRo9bQ7VFQVqT95ll3Rr67jMDvnB16uaHi/8OcYPo9bQ7V6KGC:E/8i9sNT95z93DPD6Djv9sRGC
Threatray 257 similar samples on MalwareBazaar
TLSH 85A36EDA6199C081F0C75AB1C839E2F72287AC15C6B136172B9D3E7A39B951013FC66F
Reporter cocaman
Tags:exe GuLoader SWIFT

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MT103 SWIFT COPY TT.exe
Verdict:
No threats detected
Analysis date:
2021-03-04 09:28:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f7543267-f590-4cdb-b45f-061a44d44f8a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122241/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/628461
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9eaaa51cdaaead40d21f14ead0122b0e9862326895d672fa803d2c6fad981602/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 06:02:11 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
4 of 47 (8.51%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t2vkkhg2v2wubuq7ctvnaerlb2mgemtisxlhf6uahuwg7lmycyba._file
Verdict:
suspicious
Similar samples:
0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8
GuLoader
250d4d5045162c39e3c1b9d637e0188089299a04106202afdf1f4826d24e27f4
GuLoader
37fba5e93049ee78ac1fdf1fafe945636680193ddcb1dc9533f2c9ac80d3744c
GuLoader
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
GuLoader
479f929625a3e8a8f98256c3a020f5946e0d88fd7e3582e47b63500679d46585
GuLoader
522735989689a96d0e10e926aae941e58a695062254573c5796bb129e4c7703e
GuLoader
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
GuLoader
a9c312936a88ac3629aa8fb5c4d6b5fe5fcad17319b825bf4b383fd807cb3f51
GuLoader
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
GuLoader
f8c32c700279f87b3956631cc6567e746afed535006a45f0839d4d346db8ad00
GuLoader
+ 247 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210304-g526wfabvn/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/c6d430f6-f21a-4e03-a123-e64139ba9982/
SH256 hash:
9eaaa51cdaaead40d21f14ead0122b0e9862326895d672fa803d2c6fad981602
MD5 hash:
08da1f7e1e3464753d7f705d2767771b
SHA1 hash:
1ed68eedb0e882a36fdf7f518e620c41843f7966
Link:
https://www.unpac.me/results/c6d430f6-f21a-4e03-a123-e64139ba9982/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9eaaa51cdaaead40d21f14ead0122b0e9862326895d672fa803d2c6fad981602

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 78425be354ee3383c0a89283e7eae3bbf3646339790c2bb8108a6549965c1d68

GuLoader

Executable exe 9eaaa51cdaaead40d21f14ead0122b0e9862326895d672fa803d2c6fad981602

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 78425be354ee3383c0a89283e7eae3bbf3646339790c2bb8108a6549965c1d68
Cape
Cape
https://www.capesandbox.com/analysis/122241/

Comments