MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4b257be639f431e64226bc29a3e97f7cc8ece1c427a8fe5ce615b54fc00945a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4b257be639f431e64226bc29a3e97f7cc8ece1c427a8fe5ce615b54fc00945a
SHA3-384 hash: 2fcc413613ba99732464215527102fe2880aa96fa870a5a222a019a1ef04253f2eb45a18721d680434fa27095ee018af
SHA1 hash: 098ad9b960cbe825687e46e34490f2fa79472964
MD5 hash: 0e0839b61a5ed6513ed166ccf35c2a68
humanhash: foxtrot-comet-seven-montana
File name:b4b257be639f431e64226bc29a3e97f7cc8ece1c427a8fe5ce615b54fc00945a
Download: download sample
Signature GuLoader
Create hunting rule
File size:576'544 bytes
First seen:2023-04-04 12:58:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 12288:yTMY1ltUnHhjWioHHQhR93J6hLB8K8WEv:yThtejWVHcR956DH8WM
Threatray 572 similar samples on MalwareBazaar
TLSH T10CC4F1C3A0709BE6DC6C903A55024823479EBF29B1F4DA117BBB3249B1F1195C27B7A7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-08T09:12:04Z
Valid to:2026-03-07T09:12:04Z
Serial number: 45eaba894aa169153e827a5c6dcd4921151c9e67
Thumbprint Algorithm:SHA256
Thumbprint: 8c6836ae0658013c97eafec24bbda36f70fec84ac54fa85f3d32e4bcbf41bccf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b4b257be639f431e64226bc29a3e97f7cc8ece1c427a8fe5ce615b54fc00945a
Verdict:
Malicious activity
Analysis date:
2023-04-04 12:58:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3bd2d56c-805e-4ade-892f-38b8c677945d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380023/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66137798.32320.24463.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file
Delayed reading of the file
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76503/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader icedid overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/642c1edc7dc0445b2388ea42/reports/090e5b80-e9ee-45e2-8ec4-ab08cdd44830/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b4b257be639f431e64226bc29a3e97f7cc8ece1c427a8fe5ce615b54fc00945a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e1b90f84-f5b5-4dfe-bd5a-98ef9e6895be
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1208154
Signature
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4b257be639f431e64226bc29a3e97f7cc8ece1c427a8fe5ce615b54fc00945a/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-28 08:24:59 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wszfpptdt5br4zbcnpbjupux67gi5tq4ij5i7zoomfnvj7aasrna._file
Verdict:
malicious
Similar samples:
19bc779bdb31a070d3b122e2c58547649586b5481655a52db8b3ccadd958bed3
GuLoader
2214417ca9bcffaa0455831c963b576cbb072efb7ad6dca11068ebe69444cdcc
GuLoader
2c02e5bec85fedefe1d21d2cc02b0d7e91eebfedcb53f444127463987de67bc0
GuLoader
536a5d0e0a0283a2037d9a01efaf92c4e119647ad3b8aa4d644461de984399f8
GuLoader
6b33dcd29a3bddb0574c50b604db51b808c0909df8beeb575fea8979ce55dd49
GuLoader
8e2592445728a1950fab0e7367efa48a84863658d968a090d0cf9e080b42d11b
GuLoader
936ef3a90e5433d26c707b0660fb1530a3f717734dc0c86568854c6131f954f7
GuLoader
974d4a3b79743a94417f467ffbaeb5de6616d2f5f5aef742f41b7a5d5a3d9ba7
GuLoader
c7a282bb4bc111616da14a7f6bac27b0b7c7437156a7992382dc695f50d6300a
GuLoader
c92700f557efbce3d2bdde80abfe0397c6816f4df90487f2fae25d05ecdb1581
GuLoader
+ 562 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230404-p7g4qagh5y/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
Unpacked files
SH256 hash:
b7823a15e7b1866ba3d77248f750b66505859d264cfc39d8c8c5e812f8ae4a81
MD5 hash:
a1da6788aeaf78ca4ae1dece8019e49d
SHA1 hash:
d770155e6e9aa69223be198c44a8da26a1756d89
Link:
https://www.unpac.me/results/c0c5c921-f1ae-498b-baec-4105ece52e5e/
SH256 hash:
b4b257be639f431e64226bc29a3e97f7cc8ece1c427a8fe5ce615b54fc00945a
MD5 hash:
0e0839b61a5ed6513ed166ccf35c2a68
SHA1 hash:
098ad9b960cbe825687e46e34490f2fa79472964
Link:
https://www.unpac.me/results/c0c5c921-f1ae-498b-baec-4105ece52e5e/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b4b257be639f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4b257be639f431e64226bc29a3e97f7cc8ece1c427a8fe5ce615b54fc00945a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380023/

Comments