MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afccd20b616b002619cc6e6135729cf2b85f381524d76ecaa4ba764a8144236b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afccd20b616b002619cc6e6135729cf2b85f381524d76ecaa4ba764a8144236b
SHA3-384 hash: 83e50dbc490792a102424178abc92b75e3ba0bd4e03f135997e65f1ace93721836c79feaf1220ed5a1128fdadbe409fb
SHA1 hash: 4411a9d5c7363ffa252f520b0e4953ffac4bcda6
MD5 hash: 0c225f3d7436d7c996956470935dad78
humanhash: music-whiskey-nitrogen-pip
File name:CIF_SPECIFICATION.bat
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-05-25 06:12:38 UTC
Last seen:2020-05-25 06:51:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 677ae1938f5606ca6dbb575b8297604b (1 x GuLoader)
ssdeep 1536:zenPEiwD69ahUn5zWvV5HrhG/vL829uv:aPZWLm1cVnG/wF
Threatray 466 similar samples on MalwareBazaar
TLSH FCB30813F9D8BCC9FC014DF299E199E40E23ADE81C914F07744ABB4E25761995FB0B2A
Reporter jarumlus
Tags:GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5539/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.49510.27277.24208.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 02:58:25 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
182b2d026edb387534dda66711ee6f9050bc8ed871d0ebb71a96f0b18498ba24
GuLoader
2d3877e6e33b4a3763ccdb6a68f4998d48d048c8b36a5fd9c2054ac2377e43dc
GuLoader
3764a8690d829b849cc82babfb6dc75a3b6f812e46d3d9535c380c187534094e
GuLoader
487032be06deec0a6b50c6c0464edb67d50f9bb769ea1527969d4b67b83e8733
GuLoader
5c9b22633bb9c7f20fcd928e0093ac5debd1dabd7f42daa479725b5f2db38e91
GuLoader
6591794758496511c22b638fc57b5d58943670a72568dfa92f29a08c501c73d6
GuLoader
c689edeb2bea45f5a7e6402ba51dc23e40e6c8b509841f60cb3d7327340b9b60
GuLoader
da0c0089713cfd5b47f425f23c23f9a9d82e62000873747dce1a73220319f93e
GuLoader
dc9ab0fc37303739eebdebf61ae10291db28738997267cdaf100f5c03f263c39
GuLoader
f17d48c8d179de191e519fa908648b977c09f91803b898d8e4fada52e423a8df
GuLoader
+ 456 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-2xvn7xk75j/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent state file
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 7b6851070b0fe114e9a5f475afedba1729251ca694a223ffccb6dad12c340120

GuLoader

Executable exe afccd20b616b002619cc6e6135729cf2b85f381524d76ecaa4ba764a8144236b

(this sample)

  
Dropped by
MD5 bb238138a1ec08119d3af9a9fdb4afa8
  
Dropped by
SHA256 7b6851070b0fe114e9a5f475afedba1729251ca694a223ffccb6dad12c340120
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/5539/

Comments