MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6054541b371277854294a9db3aa1673097da435ab73c4cd70f5c794d648d741. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments 1

SHA256 hash:	a6054541b371277854294a9db3aa1673097da435ab73c4cd70f5c794d648d741
SHA3-384 hash:	9513ea4671eae8df89ad198747c2ff855362f3b5a085ba2de3e1ed9b7a9f00d018b6052ee7ec08095e18ef5b8b086f39
SHA1 hash:	1638abdef5c3b151d44c07761f64f2a0a442bb0f
MD5 hash:	cc0a1c96c14263e48f82965ff47e0521
humanhash:	edward-summer-don-thirteen
File name:	cc0a1c96c14263e48f82965ff47e0521
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	422'320 bytes
First seen:	2023-06-15 04:26:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (525 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep	12288:S0+FrXbGM2i28hs/qhYPLSapCm6gcYYYdlo:S0YraPL/q6PuaQmmrYHo
Threatray	1'608 similar samples on MalwareBazaar
TLSH	T1539423A56E34C4BBD8169A70CDD7C7F56E69AD14E810864F1B517F28BA33B80C61E3C2
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	zbetcheckin
Tags:	32 exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-02-26T05:02:38Z
Valid to:	2026-02-25T05:02:38Z
Serial number:	7a7fce574fd2dbd967b3c61a5e165acd1111e545
Thumbprint Algorithm:	SHA256
Thumbprint:	3c5469dc4489582aec638d7da596039a3220772f27833f094b043ff911a03fdc
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

305

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

cc0a1c96c14263e48f82965ff47e0521

Verdict:

Malicious activity

Analysis date:

2023-06-15 04:27:48 UTC

Tags:

remcos

Link:

https://app.any.run/tasks/0d75e5bf-b238-4a6e-92a8-352ab1791682

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/399005/

Detection(s):

SecuriteInfo.com.Trojan.Generic.33925799.17857.14330.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Searching for the window

Sending a custom TCP request

Launching a process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/90788/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/648a931640b26d42ee557f52/reports/9e87fb17-5d15-42b2-b1c0-c93fce457a86/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/a6054541b371277854294a9db3aa1673097da435ab73c4cd70f5c794d648d741

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/17efea20-c829-4321-8976-754e1b035710

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a6054541b371277854294a9db3aa1673097da435ab73c4cd70f5c794d648d741/

Threat name:

Win32.Adware.RedCap

Status:

Malicious

First seen:

2023-06-09 13:33:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 37 (43.24%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uycukqntoetxqvbjjko3hkqwomex3jbvvnz4jtlq6xdzjvsi25aq._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

0ead3606ff3625f1daa4c3e9a592f18f0f136d0373be4db5f1500c861cc791df

GuLoader

2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b

GuLoader

2afb072fe81c319cbe4cee6d2c660a16a833b4243c8e5ea0aa041b2b974c3ef5

GuLoader

30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02

GuLoader

79e1fc85396ae65e8431f8ceb92fefb5ec396381840d830c415ea2d81cb78a49

GuLoader

b689885667b1f8a29bafedff5fc69526534732ebb7731d98bbc06f7005b245d5

GuLoader

e4a8a88bffaf744487df4bfd56f975542f59efb4aabe037f2ce5baea61875f98

GuLoader

ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a

GuLoader

+ 1'598 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:guloader family:remcos botnet:awelle-host downloader rat

Link:

https://tria.ge/reports/230615-e234wsef3z/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Enumerates physical storage devices

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Guloader,Cloudeye

Remcos

Malware Config

C2 Extraction:

gdyhjjdhbvxgsfe.gotdns.ch:2718

Unpacked files

SH256 hash:

a6054541b371277854294a9db3aa1673097da435ab73c4cd70f5c794d648d741

MD5 hash:

cc0a1c96c14263e48f82965ff47e0521

SHA1 hash:

1638abdef5c3b151d44c07761f64f2a0a442bb0f

Link:

https://www.unpac.me/results/f67c7ca1-0814-41c8-9e68-d235f6d482e7/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a6054541b371/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a6054541b371277854294a9db3aa1673097da435ab73c4cd70f5c794d648d741

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

exe a6054541b371277854294a9db3aa1673097da435ab73c4cd70f5c794d648d741

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2661494/

Cape

https://www.capesandbox.com/analysis/399005/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-06-15 04:26:17 UTC

url : hxxp://109.206.240.64/HBZ.exe