MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa474883fd952e16e13715aa7a698fa8eb0d596fea71d03dfbaa235a1b08aa15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa474883fd952e16e13715aa7a698fa8eb0d596fea71d03dfbaa235a1b08aa15
SHA3-384 hash: 1a06a1652de844b1711d5ad2dbdd8e605c3bd35a902e1172e6da1aba5d8fbe724f316250148b503da7e84081fe956917
SHA1 hash: 9a47bf42898712ac86683f9af9df0c6943059f6d
MD5 hash: 13e0cd9df74775213bc78eba0c269add
humanhash: lamp-high-oranges-mars
File name:13e0cd9d_by_Libranalysis
Download: download sample
Signature GuLoader
Create hunting rule
File size:112'376 bytes
First seen:2021-05-19 19:01:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ad518cf51907bc8ca22f7a1354a4250 (11 x GuLoader, 2 x RemcosRAT)
ssdeep 1536:y+FcZvFPSxWCgNxJUqTy8XKc/q9mnBYnthsOrQ8grIPUkoGCJzW1Qr:DKSxTWKAWh3nFfwzWW
Threatray 1'652 similar samples on MalwareBazaar
TLSH 28B3C676BAFBF575FE5880F0670C83A981A72E34C8154957DCC22918A3F26369A503F7
Reporter Libranalysis
Tags:GuLoader


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
13e0cd9d_by_Libranalysis
Verdict:
Malicious activity
Analysis date:
2021-05-19 19:06:59 UTC
Tags:
trojan rat remcos keylogger
Link:
https://app.any.run/tasks/72afd961-3c67-4634-ad0d-b5bafc03c193

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/158757/
Detection(s):
SecuriteInfo.com.Variant.Jaik.45934.5417.28725.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
GuLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/785296
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 417696 Sample: 13e0cd9d_by_Libranalysis Startdate: 19/05/2021 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Potential malicious icon found 2->53 55 Found malware configuration 2->55 57 6 other signatures 2->57 10 13e0cd9d_by_Libranalysis.exe 2->10         started        13 win.exe 2->13         started        15 win.exe 2->15         started        process3 signatures4 67 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->67 69 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->69 71 Tries to detect Any.run 10->71 73 Tries to detect virtualization through RDTSC time measurements 10->73 17 13e0cd9d_by_Libranalysis.exe 4 10 10->17         started        75 Hides threads from debuggers 13->75 22 win.exe 2 7 13->22         started        24 win.exe 6 15->24         started        process5 dnsIp6 45 hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu 103.232.54.201, 49746, 49751, 49752 AIMS-MY-NETAIMSDataCentreSdnBhdMY Viet Nam 17->45 39 C:\Users\user\AppData\Roaming\win.exe, PE32 17->39 dropped 41 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 17->41 dropped 43 C:\Users\user\AppData\Local\...\install.vbs, data 17->43 dropped 59 Tries to detect Any.run 17->59 61 Hides threads from debuggers 17->61 26 wscript.exe 1 17->26         started        47 ghdyuienah123.freedynamicdns.org 104.37.7.48, 2006 DIMENOCUS United States 22->47 file7 signatures8 process9 process10 28 cmd.exe 1 26->28         started        process11 30 win.exe 28->30         started        33 conhost.exe 28->33         started        signatures12 77 Multi AV Scanner detection for dropped file 30->77 79 Contains functionality to detect hardware virtualization (CPUID execution measurement) 30->79 81 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 30->81 83 3 other signatures 30->83 35 win.exe 6 30->35         started        process13 dnsIp14 49 hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu 35->49 63 Tries to detect Any.run 35->63 65 Hides threads from debuggers 35->65 signatures15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aa474883fd952e16e13715aa7a698fa8eb0d596fea71d03dfbaa235a1b08aa15/
Threat name:
Win32.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 15:56:48 UTC
AV detection:
21 of 47 (44.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjdura75suxbnyjxcwvhu2mpvdvq2wlp5jy5app3virvugyivikq._file
Verdict:
unknown
Similar samples:
02738721df55077c4a8b8826e7cdd0243003ba4b34cb71f314ad05a29330c9c3
GuLoader
1ad231fb8cb3ab712bef3aae2c319cdd3d9f085eea7e0d205ca3729a85eb1294
GuLoader
3ee7986c2ffb27457b0e9d270fdd477c953c310503fffc27aed1aa8cc6e8c70d
GuLoader
429a766fbf315ee6e6ec01e3a36cc39a66b14c3c71d2a5de94f5fbd2212367dd
GuLoader
7765b39aa0345fd2af3838a548807c90094ea98d227d625ed742260833643b52
GuLoader
7aac0d666b2552cb06d944ea7c54852070a9434708b221232faff64396b8f70a
GuLoader
86b20b72e5394385d0f51a531923647759f9bc02d048df3c1aad7e26ed773a8b
GuLoader
8f1517666a1f5f7f6d0f38814909251d41de92126c2a7df0626de2fa1ae9ba1f
GuLoader
d5956571b9e9bc5c925d5b26a0bd0771c636bff202c0adb7d1d9ad6efe487bae
GuLoader
ed3a8701ae1164a1eec2e06b24ce46f54dd8c19838f7c5f92938cf1156178dca
GuLoader
+ 1'642 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos downloader persistence rat
Link:
https://tria.ge/reports/210519-e6rb25gwlx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/Eric_2021_eyKIYWgo49.bin
ghdyuienah123.freedynamicdns.org:2006
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa474883fd952e16e13715aa7a698fa8eb0d596fea71d03dfbaa235a1b08aa15

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe aa474883fd952e16e13715aa7a698fa8eb0d596fea71d03dfbaa235a1b08aa15

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/158757/
  
URLhaus
https://urlhaus.abuse.ch/url/1256744/
  
Delivery method
Distributed via web download

Comments