MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adea37317bf08b2dbb86164c609b0ee2eec3ccd6ef0e82c1c46d8447623e5899. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	adea37317bf08b2dbb86164c609b0ee2eec3ccd6ef0e82c1c46d8447623e5899
SHA3-384 hash:	ae0a6a2df0530a355650755dc50f0b43bc84f56e98f75de06452e5eace292b0909cd7a6b3b8d55989b68b4296faa7563
SHA1 hash:	b10d499c6aedcc0c0a3cf728a609466824a73d19
MD5 hash:	90524c4f4816eb22693e92212b8cab6c
humanhash:	juliet-kentucky-muppet-winter
File name:	TNTNumber1062324.PDF.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	135'168 bytes
First seen:	2021-03-08 14:09:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cc882d101998a701353b40b0cd8c341a (6 x GuLoader, 1 x Formbook)
ssdeep	3072:i4wVUPBu0Mxbf+rr3AfKDeQVXrbGQqwV:i4wVUPgxbf+rr3AfKSQVXrqQqwV
Threatray	5'274 similar samples on MalwareBazaar
TLSH	A8D31672B375DAB7F92A03729911C6BC0780AF235946890761F13B2FB6316501BB1EF6
Reporter	James_inthe_box
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

240

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

TNTNumber1062324.PDF.exe

Verdict:

No threats detected

Analysis date:

2021-02-25 21:55:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4ae670cc-2485-48fe-acd6-53e0ed5a555c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Guloader

Link:

https://www.capesandbox.com/analysis/122807/

Detection(s):

Win.Malware.Razy-9835554-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/618989

Signature

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected GuLoader

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2021-02-25 08:55:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 27 (92.59%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vxvdoml36cfs3o4gczggbgyo4lxmhtgw54hifqoenwceoyr6lcmq._file

Verdict:

unknown

GuLoader

1de9da3a2c6effe9e9eae16a0d70fc19c633e479073f308a666665b0628e866b

GuLoader

39874f3eb3d660ef8af1c02af08ddfa4d3dc14aedf2c216e3e1f8639813bf2e1

GuLoader

4a354b88e0c8817b637120c95edcae262dd09c786e5b083072e5ea445031447c

GuLoader

578ebd08634c9e158e553b27cfe7e26435e93d3325d53657d3ffc3eec83be71b

GuLoader

6c7d10402361556d564ce74e16a05024a4e0ad31da03b98fb69d4f7c0079730f

GuLoader

9d97eea7bad17d4b303d3b7e4b4178f94462ba08c29c46a4e2f8707afde9bee3

GuLoader

e15bdb0251ab0740aabcc3686ec2a65d9e10d1725b6713ccf868e85d1bc161bc

GuLoader

e45b4d0e0b338b2a3875466e875b008043acf8240da0d6caa2ec14d13c02fe41

GuLoader

e8f0dd4a951cb42729e34171301bf46bd708a8c1c1c0b5b7daf2ed9036b97cca

GuLoader

+ 5'264 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210308-gb346xtm92/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

adea37317bf08b2dbb86164c609b0ee2eec3ccd6ef0e82c1c46d8447623e5899

MD5 hash:

90524c4f4816eb22693e92212b8cab6c

SHA1 hash:

b10d499c6aedcc0c0a3cf728a609466824a73d19

Link:

https://www.unpac.me/results/f9e853fb-6982-4d90-9d35-920aaa4600fe/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.86

Link:

https://yomi.yoroi.company/submissions/adea37317bf08b2dbb86164c609b0ee2eec3ccd6ef0e82c1c46d8447623e5899

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/122807/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample