MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a72167e93f3c86c49dcfb62116416dd94a3781933252f1e0096beba7973e2c3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a72167e93f3c86c49dcfb62116416dd94a3781933252f1e0096beba7973e2c3b
SHA3-384 hash: 27334a3b5bca4f09070765cf2a62f15c41bf8a9f1d125793e4ae58ee6e65a56cf9302787868dc4948c4c0b9e57dfc450
SHA1 hash: 40be959c6151c3a224189045084c0c729540390d
MD5 hash: a1eb9b01ff7b80dac067728bc1476c55
humanhash: floor-chicken-california-mockingbird
File name:SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936
Download: download sample
Signature GuLoader
Create hunting rule
File size:636'952 bytes
First seen:2023-01-11 07:32:00 UTC
Last seen:2023-01-16 07:49:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (385 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep 12288:AcWJ+6nT8mlodoRNnKRpj25w3Ng1ADX9rMIbyyjRt:AXBn1lodo6jf3NgMBxOyj/
Threatray 16'414 similar samples on MalwareBazaar
TLSH T139D46D91A58314D0F8ED60B41F0BDC8AD722694997C39EFB31E9D820E5E32221659DFF
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a292faac8e9a86a2 (3 x GuLoader)
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Trykknappens
Issuer:Trykknappens
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-11T00:08:38Z
Valid to:2026-01-10T00:08:38Z
Serial number: 42910097dea000ed
Thumbprint Algorithm:SHA256
Thumbprint: e5af7092995055a38166e1e8581c7388fcc688ca36fab3117c2dbdd164d52f3c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936
Verdict:
No threats detected
Analysis date:
2023-01-11 07:36:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/11999845-2fdb-472f-b8a9-b7ccc1fb3304

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351836/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% directory
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63be65fddde391056ac1d880/reports/08a8374b-1775-4072-b2e7-23fdd5b50f8e/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9aad254e-8252-4e1f-8350-77009556bbaf
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1149410
Signature
Found C&C like URL pattern
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 782142 Sample: SecuriteInfo.com.Gen.Varian... Startdate: 11/01/2023 Architecture: WINDOWS Score: 84 36 googlehosted.l.googleusercontent.com 2->36 38 drive.google.com 2->38 40 doc-00-0k-docs.googleusercontent.com 2->40 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected GuLoader 2->52 54 Found C&C like URL pattern 2->54 9 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 3 34 2->9         started        signatures3 process4 file5 24 C:\Users\user\AppData\Roaming\...\msvcp80.dll, PE32 9->24 dropped 26 C:\Users\user\AppData\Local\...\System.dll, PE32 9->26 dropped 56 Self deletion via cmd or bat file 9->56 58 Tries to detect Any.run 9->58 13 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 100 9->13         started        signatures6 process7 dnsIp8 42 152.89.218.97, 49837, 80 DHUBRU Russian Federation 13->42 44 drive.google.com 142.250.185.110, 443, 49835 GOOGLEUS United States 13->44 46 googlehosted.l.googleusercontent.com 142.250.186.65, 443, 49836 GOOGLEUS United States 13->46 28 C:\ProgramData\vcruntime140.dll, PE32 13->28 dropped 30 C:\ProgramData\softokn3.dll, PE32 13->30 dropped 32 C:\ProgramData\nss3.dll, PE32 13->32 dropped 34 3 other files (none is malicious) 13->34 dropped 60 Self deletion via cmd or bat file 13->60 62 Tries to harvest and steal browser information (history, passwords, etc) 13->62 64 Tries to detect Any.run 13->64 66 Tries to steal Crypto Currency Wallets 13->66 18 cmd.exe 1 13->18         started        file9 signatures10 process11 process12 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a72167e93f3c86c49dcfb62116416dd94a3781933252f1e0096beba7973e2c3b/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-01-11 04:46:31 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u4qwp2j7hsdmjhopwyqrmqln3ffdpamtgjjpdyajnpv2pfz6fq5q._file
Verdict:
malicious
Similar samples:
094dc63a99e7f4978723577fdbbbadc74ffa4b907368c0cd48b3d0b5f14e3fbc
GuLoader
0ad287dbe151a940761d048d0a6214c15970455280ef7c98c240c223bf0a7a73
GuLoader
1104665d2257c57ec4b02dab78e072bbf7a091952d2e0424792d2caba586e5d6
GuLoader
12aac5d4158e47940eefe3ccea78ba7390872b2afedae626a9783b2ae2a76632
GuLoader
19905bdf0cb29dfbc07442ef68e3f5d58b1c6e80dbd051d558ed272e60b3269c
GuLoader
81ce31f6f3cd9a6a6037c411a1485bee35eaa93965fc6ccc2bd857c991fcad90
GuLoader
b1ce73dac896a841321b1f502bcc32313de930cd0e5561874e51e80dc7cb06cc
GuLoader
e7f968d64655db242cdc6330cf399c3b5e635b63b2ba734d5e2c2eee5986e9be
GuLoader
ff235029990af0449ce8f82c5546dfe37170d5e27ce1a22b0a43965a980344be
GuLoader
+ 16'404 additional samples on MalwareBazaar
Result
Malware family:
marsstealer
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:marsstealer botnet:default discovery downloader spyware stealer
Link:
https://tria.ge/reports/230111-jc11fsfc5s/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Guloader,Cloudeye
Mars Stealer
Malware Config
C2 Extraction:
152.89.218.97/gate.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4f1eec43-d999-4059-8220-482f9d96d6d1
Unpacked files
SH256 hash:
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
MD5 hash:
17ed1c86bd67e78ade4712be48a7d2bd
SHA1 hash:
1cc9fe86d6d6030b4dae45ecddce5907991c01a0
Link:
https://www.unpac.me/results/980674bf-3fb5-4b54-b0f3-ce6051156a3f/
SH256 hash:
a72167e93f3c86c49dcfb62116416dd94a3781933252f1e0096beba7973e2c3b
MD5 hash:
a1eb9b01ff7b80dac067728bc1476c55
SHA1 hash:
40be959c6151c3a224189045084c0c729540390d
Link:
https://www.unpac.me/results/980674bf-3fb5-4b54-b0f3-ce6051156a3f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a72167e93f3c86c49dcfb62116416dd94a3781933252f1e0096beba7973e2c3b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351836/

Comments