MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab1f192fb8f916dcd581face8064290632cc84049382de572156f4538cdec085. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab1f192fb8f916dcd581face8064290632cc84049382de572156f4538cdec085
SHA3-384 hash: 7a5f9b531c692fbcdccd4f154833bafc4756a90590fb8d4fcdcd0f619f68b4e57cd91e3a47c61059790e39cb4bf68261
SHA1 hash: bdcd6f9323f270f075f834a96e78a61fe01bf3a9
MD5 hash: 64870db1f918b02c66f11097b4a387f2
humanhash: arkansas-papa-undress-sink
File name:SecuriteInfo.com.Variant.Tedy.201981.27977.3001
Download: download sample
Signature GuLoader
Create hunting rule
File size:252'608 bytes
First seen:2022-09-13 10:07:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 3072:Ps77w1OlWUt1u8LkUwD8MPPwUWkb7bZHOYyBnQOnopwWyW9stsf5ECE9ZrQB+qgd:UmOPINH9TzZHOYcQOno+WrW6+FZrjSHs
Threatray 2'754 similar samples on MalwareBazaar
TLSH T1DE34C04017E9C433C5A28BB27315F67A95B4AEA025F7D389D3223667EE337827D04782
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Operandernes Reglued Deadishly
Issuer:Operandernes Reglued Deadishly
Algorithm:sha256WithRSAEncryption
Valid from:2021-09-22T19:15:19Z
Valid to:2024-09-21T19:15:19Z
Serial number: -47eb1e034088a6f7
Thumbprint Algorithm:SHA256
Thumbprint: 8833adcd7cbb8532e76aabd4c18d98a060972e564455c0f18129effc8a23a9f8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
352
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309697/
Detection(s):
SecuriteInfo.com.Variant.Tedy.201981.27977.3001.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Searching for the window
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37546/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6320573d11830460749b3437/reports/30aeed92-2740-4998-9708-5c62718fcd86/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2eb9ed62-6f61-4400-b5f2-686155264602
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1069420
Signature
Mass process execution to delay analysis
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect Any.run
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 701952 Sample: SecuriteInfo.com.Variant.Te... Startdate: 13/09/2022 Architecture: WINDOWS Score: 68 39 bmdonline.ro 2->39 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected GuLoader 2->45 8 SecuriteInfo.com.Variant.Tedy.201981.27977.3001.exe 2 45 2->8         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\...\System.dll, PE32 8->37 dropped 49 Mass process execution to delay analysis 8->49 51 Tries to detect Any.run 8->51 12 powershell.exe 8->12         started        14 SecuriteInfo.com.Variant.Tedy.201981.27977.3001.exe 8->14         started        18 powershell.exe 8->18         started        20 106 other processes 8->20 signatures6 process7 dnsIp8 22 conhost.exe 12->22         started        41 bmdonline.ro 31.14.22.174, 49747, 80 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 14->41 53 Tries to detect Any.run 14->53 25 conhost.exe 18->25         started        27 conhost.exe 20->27         started        29 conhost.exe 20->29         started        31 conhost.exe 20->31         started        33 103 other processes 20->33 signatures9 process10 signatures11 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab1f192fb8f916dcd581face8064290632cc84049382de572156f4538cdec085/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-09-13 10:08:11 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmprsl5y7elnzvmb7lhiazbjayzmzbaesobn4vzbk32fhdg6yccq._file
Verdict:
malicious
Similar samples:
07dd788eaf264a645dce4b24536deda60690bba09125d2c9babc7ec786734344
GuLoader
153fb690a1f464ba3a1c37d1d8d103010a54a00bd10eb86ead709e275dc5d302
GuLoader
2aa855e58f1d16de00731cb9406d658533187046015073f293265f85ce07ba45
GuLoader
39f7c1971006cb42f261299ef2a05ed79573b96aab9cfcfed213abad2e0eb8d7
GuLoader
57db1a9611191d01fbe260f052e87a6fb0cf7dbb1644079727627252ee3e109a
GuLoader
90903410062ac828233bd91ed1adb4781ba522a6131b19330bcd8ef7c791672b
GuLoader
c829830d55396b4d79630c268cc875bc59c950daac4ee0476560a2edc3f8f87a
GuLoader
d827e104b371b3007b170c02cd72ac018eeac21b99304efb3042ab79928133ad
GuLoader
ef98f88e2af062e52962b309ec92736c485ce509e6319271cdde46e030455b5b
GuLoader
+ 2'744 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220913-l58bcafcf2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a61d5729-365a-45ed-ab8e-9c09f06f2a2d
Unpacked files
SH256 hash:
938580b466533dfa1461e9858fd106b60e1a52b713380915cc03afd3e4b4573c
MD5 hash:
98bdb37511634dad8d1236d91d373b26
SHA1 hash:
778cf74b4f8860cc378fa4e61aeba318197783ce
Link:
https://www.unpac.me/results/bcc35e7f-229f-47bd-82c7-af3188121ec1/
SH256 hash:
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
MD5 hash:
8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 hash:
223bef1f19e644a610a0877d01eadc9e28299509
Link:
https://www.unpac.me/results/bcc35e7f-229f-47bd-82c7-af3188121ec1/
SH256 hash:
f7d98be26c813724c7cb673b53475fe660d3ef4f9930d57a550c91578c660e91
MD5 hash:
723646252e79cbb15c7817360f93a6d2
SHA1 hash:
c9ce61d71b7377456ab49c823fc756336b01f7b5
Link:
https://www.unpac.me/results/bcc35e7f-229f-47bd-82c7-af3188121ec1/
SH256 hash:
c6e86639826f7d813e66e27135ade3f0ebfd9803286def4c8ca2ecf7926f1709
MD5 hash:
f5765d6842c93e59408181c7044709a4
SHA1 hash:
2c5d145adf52539791c0cbd9d87d0929eef0fd97
Link:
https://www.unpac.me/results/bcc35e7f-229f-47bd-82c7-af3188121ec1/
SH256 hash:
ab1f192fb8f916dcd581face8064290632cc84049382de572156f4538cdec085
MD5 hash:
64870db1f918b02c66f11097b4a387f2
SHA1 hash:
bdcd6f9323f270f075f834a96e78a61fe01bf3a9
Link:
https://www.unpac.me/results/bcc35e7f-229f-47bd-82c7-af3188121ec1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/ab1f192fb8f916dcd581face8064290632cc84049382de572156f4538cdec085

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/309697/

Comments