MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aac13b3f25b043fcc1baaa1481ab241a4845ff0d978fe86a455deaf28cedd352. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	aac13b3f25b043fcc1baaa1481ab241a4845ff0d978fe86a455deaf28cedd352
SHA3-384 hash:	9ab23e8dd499070e2494189972d6e0ee8d1d4606da5cfc5c7f2999c8e760101b0d0d96fc3b3fee720068a1a4f2ac38ac
SHA1 hash:	2331eaecdd1da03fc229c8639cddc03ccc34e18f
MD5 hash:	f51029776cf59c102ed0e1c757484e8b
humanhash:	finch-speaker-ink-timing
File name:	EUR_Cert_3883774784847_CMR8494849.pdf.scr.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	473'318 bytes
First seen:	2022-05-23 12:33:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	12288:73nKn0c4uKYOroZWTjvUycs8t6YQt89VgZP:73ni0c4f7roYTjvUycs8Q
Threatray	1'861 similar samples on MalwareBazaar
TLSH	T1C8A4E12357184979C87E4F73B02AF6A244726F772930A30F7786B53B28B11524A2FDB5
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f0e8c8c88e8eb29a (5 x GuLoader)
Reporter	James_inthe_box
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

EUR_Cert_3883774784847_CMR8494849.pdf.scr.exe

Verdict:

Malicious activity

Analysis date:

2022-05-24 01:33:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8f40aeee-0101-4a3c-9838-31d11c617907

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/273670/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% directory

Creating a file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19660/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe guloader nanocore overlay packed shell32.dll wacatac

Link:

https://www.filescan.io/uploads/628b7f77370bb1455cc0929a/reports/749dbc62-ac82-472d-b392-fc81bb235419/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/efaf8cd7-4a8d-4b77-821a-7071730d88b0

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1000101

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect Any.run

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aac13b3f25b043fcc1baaa1481ab241a4845ff0d978fe86a455deaf28cedd352/

Threat name:

Win32.Downloader.GuLoader

Status:

Malicious

First seen:

2022-05-23 01:54:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vlatwpzfwbb7zqn2vikidkzedjeel7yns6h6q2sflxvpfdhn2nja._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

19e5b14651f7ad050e2b9dc95e5bb7574a8fdde378bfbc7101ee7e2276c23d62

GuLoader

2e93c7a4fbfb9407abd40c065b13cd3a4438483f008a06f2c692fc41b2d6dfee

GuLoader

3944b429bf931ab06a980d4d15dfd69b5ea442c68938e0aee354e6c25311f94f

GuLoader

5810b0d44b3328dead0b3bc7fc6c3178193a1bd88c5b21ecaea224f56cc7aef3

GuLoader

75f352e00f106877b2e7197ab6b6be0234aba379dec517009a7e26bfef612921

GuLoader

8db83c5c1507e0307df594c1f068faef19e6e3377dd8d6ed3c9610b70bf93356

GuLoader

+ 1'851 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader discovery downloader

Link:

https://tria.ge/reports/220523-prryzsddd3/

Behaviour

Enumerates physical storage devices

Checks installed software on the system

Loads dropped DLL

Guloader,Cloudeye

Unpacked files

SH256 hash:

6a90bebbb03585d60ed8df07772533fe94bbc3e06d6d9d24f66ca7aa180404cc

MD5 hash:

cb53de3a8f568991cf490976313ad20d

SHA1 hash:

ed7d7dd29f5d3349812a59252627dc4966d65284

Link:

https://www.unpac.me/results/849b2c69-9a0b-425e-ada3-839c1ae149b5/

SH256 hash:

aac13b3f25b043fcc1baaa1481ab241a4845ff0d978fe86a455deaf28cedd352

MD5 hash:

f51029776cf59c102ed0e1c757484e8b

SHA1 hash:

2331eaecdd1da03fc229c8639cddc03ccc34e18f

Link:

https://www.unpac.me/results/849b2c69-9a0b-425e-ada3-839c1ae149b5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aac13b3f25b043fcc1baaa1481ab241a4845ff0d978fe86a455deaf28cedd352

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/273670/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample