MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a02ec2909c9fd5e1f0637bae5b0df4676a3ae68990a5a03f3ba4e6e16ee86316. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	a02ec2909c9fd5e1f0637bae5b0df4676a3ae68990a5a03f3ba4e6e16ee86316
SHA3-384 hash:	e53db405d19eec8331b36e94cbd3bd54ba57be6e42a6ccc4f0f503e8f19aa5bef5e9a0d28c17278471fd37ee001a3897
SHA1 hash:	a69f6e027557b9f38275987f3ade9577a1749cf9
MD5 hash:	838778261bf67528b4a3d8f70616777e
humanhash:	venus-march-muppet-johnny
File name:	RFQ02578.exe
Download:	download sample
Signature	GuLoader Alert Create hunting rule
File size:	526'814 bytes
First seen:	2023-07-19 11:15:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4ea4df5d94204fc550be1874e1b77ea7 (241 x GuLoader, 29 x RemcosRAT, 17 x VIPKeylogger)
ssdeep	12288:CQIzlMDWB52MtAaD1PZnx60wuekVG1K7mN:eRMyj2MtAaDJNx60wOEciN
Threatray	362 similar samples on MalwareBazaar
TLSH	T155B412227658D167DA610FF10DB2B9AA8AE48C11FC74E60F635D386D7BB03E16D0E316
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	ba7e4b6343cbc2ea (5 x GuLoader)
Reporter	lowmal3
Tags:	exe GuLoader

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

260

Origin country :

DE

Vendor Threat Intelligence

ANY.RUN Suspicious

Malware family:

n/a

ID:

1

File name:

RFQ02578.exe

Verdict:

Suspicious activity

Analysis date:

2023-07-19 11:17:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/24aec214-3cc6-4dfe-9a6f-ada98aa612df

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/424572/

ClamAV Detected

Detection(s):

SecuriteInfo.com.FileRepMalware.3334.4033.UNOFFICIAL

Alert

Create hunting rule

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/64b7c5f3f3c193545ac6d087/reports/fd419139-f4a4-4af5-9d5b-bbc78cf1bd85/overview

Hybrid Analysis Malware

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/a02ec2909c9fd5e1f0637bae5b0df4676a3ae68990a5a03f3ba4e6e16ee86316

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/2b153664-76d6-4edc-94ff-45f483480ccf

Joe Sandbox GuLoader, Remcos

Result

Threat name:

GuLoader, Remcos

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad.spyw

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1275871

Signature

Installs a global keyboard hook

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a02ec2909c9fd5e1f0637bae5b0df4676a3ae68990a5a03f3ba4e6e16ee86316/

ReversingLabs TitaniumCloud Win32.Trojan.Generic

Threat name:

Win32.Trojan.Generic

Alert

Create hunting rule

Status:

Suspicious

First seen:

2023-07-19 02:37:10 UTC

File Type:

PE (Exe)

Extracted files:

27

AV detection:

9 of 38 (23.68%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uaxmfee4t7k6d4ddpoxfwdpum5vdvzujscs2apz3uttoc3ximmla._file

Threatray unknown

Verdict:

unknown

Similar samples:

079e819a42c6ded2c872ce15d09763f567230fbe5562f20ea27ec61082f85a4f

GuLoader

23ce36201afc4312d9e6057eaeb99898c8d78146bebe00374a66bcaa34e003ca

GuLoader

595f2ae803f01eba157b6deff4687380346e15609e43cc05b541b527bb7292eb

GuLoader

991ab8c38fea82c09c29d8ba23996b3626d0a6d6dad0493e95081cee5eab039e

GuLoader

fe82cfddba182b0d597e5658c2eea85e7282e27fcae8f7e8986ce5c2ed452e31

GuLoader

+ 352 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  7/10

Tags:

discovery

Link:

https://tria.ge/reports/230719-nc45bsde8x/

Behaviour

Enumerates physical storage devices

Checks installed software on the system

Loads dropped DLL

UnpacMe 2

Unpacked files

SH256 hash:

982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

MD5 hash:

0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1 hash:

10c51496d37cecd0e8a503a5a9bb2329d9b38116

Link:

https://www.unpac.me/results/c933bcbc-f377-4dac-b67c-46e8bdaa759f/

SH256 hash:

a02ec2909c9fd5e1f0637bae5b0df4676a3ae68990a5a03f3ba4e6e16ee86316

MD5 hash:

838778261bf67528b4a3d8f70616777e

SHA1 hash:

a69f6e027557b9f38275987f3ade9577a1749cf9

Link:

https://www.unpac.me/results/c933bcbc-f377-4dac-b67c-46e8bdaa759f/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a02ec2909c9fd5e1f0637bae5b0df4676a3ae68990a5a03f3ba4e6e16ee86316

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

exe a02ec2909c9fd5e1f0637bae5b0df4676a3ae68990a5a03f3ba4e6e16ee86316

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/424572/