MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1d7fd0aa40c6d462b4d4d15b1a842d6a300ef5cfde58455c3458baceaedcd6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	b1d7fd0aa40c6d462b4d4d15b1a842d6a300ef5cfde58455c3458baceaedcd6e
SHA3-384 hash:	484ac1182dc0eac8e54956e7d6323ef89e3b371056745a0983ff088e391d6653f9062de54521ffeda70afe2f364d1c8e
SHA1 hash:	421aeb07d970caff989b2a4070ccb11a88ab5f2c
MD5 hash:	7efe09c7b5a05081144bc8e11a970702
humanhash:	batman-princess-tango-angel
File name:	SecuriteInfo.com.generic.ml.8569
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	110'592 bytes
First seen:	2021-02-10 11:28:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	16f77598a81965428d9ddc3711e9dab5 (8 x GuLoader)
ssdeep	768:XNLkd7FJAG3i3RIa53tB+EzcyCjH0rElc83xWUHQjyqPMRrcSlh5QFm0sasLSoup:dLuVibdZzchcgWJPxvVa5U
Threatray	4'479 similar samples on MalwareBazaar
TLSH	CEB3B563B7B3EA97DD55C4B02E0586A88686FF34C9D58A03B3F12F2E2E745C15D20396
Reporter	SecuriteInfoCom
Tags:	GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.generic.ml.8569

Verdict:

Malicious activity

Analysis date:

2021-02-10 11:28:25 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/d0b7e3c0-a923-4917-acff-dc639bb45a3e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Guloader

Link:

https://www.capesandbox.com/analysis/116487/

Detection(s):

SecuriteInfo.com.generic.ml.8569.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Sending a UDP request

Unauthorized injection to a recently created process

DNS request

Moving of the original file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/604323

Signature

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Potential malicious icon found

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected GuLoader

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/b1d7fd0aa40c6d462b4d4d15b1a842d6a300ef5cfde58455c3458baceaedcd6e/

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2021-02-10 09:45:00 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=whl72cvebrwumk2njuk3dkcc22rqb3247xsyivodiwf2z2xnzvxa._file

Verdict:

malicious

Label(s):

guloader

GuLoader

0afe73609922b94ffb25f673db3b621befab30c7f52cd586497b63f8154dbd6d

GuLoader

2b7498abb82bfc105fb641bc1b9e9da602bfeefb252dd8d16d7c1e4fbc3a4668

GuLoader

2ea5a4fb25528051254f255dc64913ca7d4faa1ecba2f40a55b536f871624fb9

GuLoader

581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03

GuLoader

6d192f66f0fbf8a2f9311a12b5905ce6a19ecd28e7c483ccfedaf0b5b153c0eb

GuLoader

85da31a80a4d9abbb63b08026620b12410c1865fdc8399c283af3bbfbddfd4f6

GuLoader

893033ccdb5795d90f5cad3d4e2121307a9f18b05f74c39970395a2f1a6a40ec

GuLoader

8af9082895b93e1952e76c069fe9047e2d02cde059ce34655df5960761ca5664

GuLoader

c882cc422e4039600b31e53e369f05b29dc9dd38cab76facef8a42adc8d326b3

GuLoader

+ 4'469 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer trojan

Link:

https://tria.ge/reports/210210-nxjpk12gk6/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Lokibot

Malware Config

C2 Extraction:

http://51.195.53.221/p.php/oIWHc5Y4YXDMo
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php