MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab189a55bc7ae7365ec71c2cab0118b5d644bc0aba0c07a65eba487b8100cd40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	ab189a55bc7ae7365ec71c2cab0118b5d644bc0aba0c07a65eba487b8100cd40
SHA3-384 hash:	15b2b24d75ed1c0f5ea98f24762fed20bbfad52c3ce3ba7f420e96f4de4ba34e6424c1751ca467dc34b27a43cb42a51c
SHA1 hash:	48c3e650afc8e02fb28e35a3adf9837405c256dd
MD5 hash:	9ecb20a54018b36cfc31ba3a38b3b369
humanhash:	johnny-pennsylvania-diet-tennessee
File name:	REQUEST FOR OFFER 25-05-2022·pdf.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	923'360 bytes
First seen:	2022-05-25 11:25:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	24576:2NMj/MARt0dn9Kuclo30QTA8lpwXowK9g9RZEUaHoSf:mMLqdnWOTAZqoRZEU0
Threatray	11'700 similar samples on MalwareBazaar
TLSH	T1AD1523097381D444C8F21E31EEB5CAF666ADAD95E61907132344FE5C3DF4282BA963B3
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	malwarelabnet
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Tumblere5 DUDAIM Tellurite4 Reintrenched Palliate
Issuer:	Tumblere5 DUDAIM Tellurite4 Reintrenched Palliate
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-05-24T23:05:02Z
Valid to:	2023-05-24T23:05:02Z
Serial number:	50f486bf42083856
Thumbprint Algorithm:	SHA256
Thumbprint:	24ccfbdc9dd297c14878194f068718cae4faa7a40ee2ad0b100da362bf435367
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

337

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

REQUEST FOR OFFER 25-05-2022·pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-05-25 11:29:51 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9f0dd02f-b701-4e40-932d-8a9816a8f850

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/274487/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %temp% directory

Creating a file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/20307/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/628e12606eb3ff32632ba1da/reports/cf9bf91e-d71a-4a57-8817-cedb911c4ef5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d7e1649f-3cf7-47b2-b9a5-fb123e5e42d1

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1001516

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab189a55bc7ae7365ec71c2cab0118b5d644bc0aba0c07a65eba487b8100cd40/

Threat name:

Win32.Downloader.GuLoader

Status:

Malicious

First seen:

2022-05-25 05:20:31 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 41 (36.59%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vmmjuvn4plttmxwhdqwkwaiywxlejpakxigapjs6xjehxaiazvaa._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

42560389433675fab57a669923a7287010c6d49eadb8c07760d0a97fc9bdf6d5

GuLoader

4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07

GuLoader

7afa7c7724abb034d3155e1e1fc1fd3f9961e56fd6119428d975d8aaee3070f9

GuLoader

89e2493a09c8a4a6de5198ff6052522953f26b441efe2b19838052fa695f08e9

GuLoader

8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047

GuLoader

c1dfe91a238e3b79887653dc716fa1fe5d4799b8ab78d6b91c0568830b795a32

GuLoader

c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43

GuLoader

e94bcf64e3affd0a755df05fc1f8c7fba1fb98303e433edff4d98f75d1e4fdf8

GuLoader

fa8c154dc265fd44150023639ed16b4a0112355d0622f39a9b305acb7c940d6b

GuLoader

+ 11'690 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/220525-njt8psabc5/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Checks QEMU agent file

Loads dropped DLL

Guloader,Cloudeye

Unpacked files

SH256 hash:

8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

MD5 hash:

cff85c549d536f651d4fb8387f1976f2

SHA1 hash:

d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

Link:

https://www.unpac.me/results/335ab098-2ae8-48c6-81ee-d11547012811/

SH256 hash:

6839e6beb56d55cb62bc68be26d98e0d0fc70a01b20841c9b35ce8ff6535a37d

MD5 hash:

1b60e42d2612ccf1b32a4b8949e98a8e

SHA1 hash:

12e5dfc1f06f2c3f6edb3178d22ff9f87baf389d

Link:

https://www.unpac.me/results/335ab098-2ae8-48c6-81ee-d11547012811/

SH256 hash:

ab189a55bc7ae7365ec71c2cab0118b5d644bc0aba0c07a65eba487b8100cd40

MD5 hash:

9ecb20a54018b36cfc31ba3a38b3b369

SHA1 hash:

48c3e650afc8e02fb28e35a3adf9837405c256dd

Link:

https://www.unpac.me/results/335ab098-2ae8-48c6-81ee-d11547012811/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.03

Link:

https://yomi.yoroi.company/submissions/ab189a55bc7ae7365ec71c2cab0118b5d644bc0aba0c07a65eba487b8100cd40

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/274487/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample