MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7d94673cc8d4e0826a9a240bd1d161b34bec3bea25c036a94df69240015469c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7d94673cc8d4e0826a9a240bd1d161b34bec3bea25c036a94df69240015469c
SHA3-384 hash: d61995e3222e9b7a1b096b6e3f9fd00521c8e268bd1c80649d559d648fa1160988cd9031a6a88c4ea2d7013dbc54bd96
SHA1 hash: 6942961bab54d82a358acacf39c7ad39b00e7e23
MD5 hash: 73f1d754f5b74906061d0c374a1ee1e1
humanhash: four-saturn-hydrogen-sixteen
File name:MJH.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:126'976 bytes
First seen:2021-06-01 13:41:21 UTC
Last seen:2021-06-01 14:46:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 153a31799770099c7b08b378cdd5eb59 (1 x GuLoader)
ssdeep 1536:9KNipDQlK8hgRDMGo0WY4lFPa1P4qrt+iKTUGFE:Iflv+g8/aaRt7PGy
Threatray 1'748 similar samples on MalwareBazaar
TLSH 43C30FCF65A5AC2CE6DE2EF4AC34A48707193C00AB14522F71C8EABDAB705A17DD1717
Reporter James_inthe_box
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MJH.exe
Verdict:
No threats detected
Analysis date:
2021-06-01 13:55:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/81d3c574-2d2d-43e1-9246-f168146a182c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163840/
Detection(s):
SecuriteInfo.com.Mal.Gen.18002.21159.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/795320
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Detected Remcos RAT
Found malware configuration
Hides threads from debuggers
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 427716 Sample: MJH.exe Startdate: 01/06/2021 Architecture: WINDOWS Score: 100 49 ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu 2->49 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 5 other signatures 2->61 10 MJH.exe 1 2->10         started        13 vpn.exe 1 2->13         started        15 vpn.exe 1 2->15         started        signatures3 process4 signatures5 73 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->73 75 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->75 77 Tries to detect Any.run 10->77 79 Tries to detect virtualization through RDTSC time measurements 10->79 17 MJH.exe 1 10 10->17         started        81 Hides threads from debuggers 13->81 22 vpn.exe 6 13->22         started        24 vpn.exe 15->24         started        process6 dnsIp7 47 avenuesports.pk 192.185.164.243, 49729, 49732, 49734 UNIFIEDLAYER-AS-1US United States 17->47 41 C:\Users\user\AppData\Roaming\vpn.exe, PE32 17->41 dropped 43 C:\Users\user\...\vpn.exe:Zone.Identifier, ASCII 17->43 dropped 63 Tries to detect Any.run 17->63 65 Hides threads from debuggers 17->65 26 cmd.exe 1 17->26         started        file8 signatures9 process10 signatures11 83 Uses ping.exe to sleep 26->83 85 Uses ping.exe to check the status of other devices and networks 26->85 29 vpn.exe 1 26->29         started        32 PING.EXE 1 26->32         started        35 conhost.exe 26->35         started        process12 dnsIp13 87 Multi AV Scanner detection for dropped file 29->87 89 Contains functionality to detect hardware virtualization (CPUID execution measurement) 29->89 91 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 29->91 93 3 other signatures 29->93 37 vpn.exe 1 7 29->37         started        45 127.0.0.1 unknown unknown 32->45 signatures14 process15 dnsIp16 51 avenuesports.pk 37->51 53 ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu 46.243.207.43, 6932 AS40676US Netherlands 37->53 67 Tries to detect Any.run 37->67 69 Hides threads from debuggers 37->69 71 Installs a global keyboard hook 37->71 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7d94673cc8d4e0826a9a240bd1d161b34bec3bea25c036a94df69240015469c/
Threat name:
Win32.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2021-06-01 10:13:01 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u7mum46mrvhaqjvjujal2hiwdm2l5q56ujoag2uu35usiaavi2oa._file
Verdict:
malicious
Similar samples:
01006d50a9052ffee3ea3dc6429aeb86e4d361d1ffe69a455bb00a1e03962166
GuLoader
02738721df55077c4a8b8826e7cdd0243003ba4b34cb71f314ad05a29330c9c3
GuLoader
2b63f1488d9a8396513a3dd2ca07b44adee4b1187dc5e6d94934ed6271e76f5d
GuLoader
3016a6fd03e57ee760ab4c79ec8822caa4eda8c24236d7eec230f6ca6f4d785a
GuLoader
311bf44fb33aa4661e8630fcb2830f22714427133527c1768f0b0ceaad502533
GuLoader
34a666042ff3ad45f4e1e37776cc55d4f4fdd1bcd8233852839d55fc076410d1
GuLoader
8d6f73da5150cd26789a9a0e0643f69b520306680523d91cb21438ad2e6fa80c
GuLoader
9193d6cb634d0be563a786dbb165b8991093c451aac3a4d82c7bde0213f1e106
GuLoader
b0ce84526989dd02968e8ddae780d47de367ece10dbfc9d472893531abd08825
GuLoader
b89879aceeecfb9524dd5e08dde9afb89d7d39d5a4fc1c1cd4736693bf4cc39d
GuLoader
+ 1'738 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210601-esb4twyr7s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Guloader,Cloudeye
Malware Config
C2 Extraction:
http://avenuesports.pk/Sk/Maily%20_remcos_poYYVI175.bin
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/a7d94673cc8d4e0826a9a240bd1d161b34bec3bea25c036a94df69240015469c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/163840/

Comments