MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcaac39113bd17158fe86a77328f97e9c3fa14860c9c4449a8ae0768c85243f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcaac39113bd17158fe86a77328f97e9c3fa14860c9c4449a8ae0768c85243f4
SHA3-384 hash: 625df0081ce57995719e03c93eadce990d9f634915f0e58d08af26563ac95e318c2c27aaa37f3673971b731bd985b317
SHA1 hash: ad379c5a86bf646c4a079e737a364ab352107e5b
MD5 hash: ad0c93b574bb947cff15483eda82811e
humanhash: uranus-river-early-fillet
File name:ad0c93b574bb947cff15483eda82811e.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:379'720 bytes
First seen:2021-04-12 06:36:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 6144:zvEN2U+T6i5LirrllHy4HUcMQY6ZOaoi7ru0qFkBYDoogRI30z0noojfIVAdayb1:zENN+T5xYrllrU7QY65oiHuhGYDoogR0
Threatray 5'501 similar samples on MalwareBazaar
TLSH 1C84C566B509A02BD996D5F0316AF10AB1753D3206B99C1FBB90FF3A6070593B5BC30B
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Required Order Quantity.xlsx
Verdict:
Malicious activity
Analysis date:
2021-04-12 05:40:52 UTC
Tags:
encrypted trojan exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/fbfb79b8-7bd3-4482-bb78-f40aa102d384

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133667/
Detection(s):
PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-6803865-0
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/672591
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Potential malicious icon found
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385246 Sample: os9TZxfmTZ.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 79 www.slymwhite.com 2->79 81 www.postphenomenon.com 2->81 93 Potential malicious icon found 2->93 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 14 other signatures 2->99 12 os9TZxfmTZ.exe 1 4 2->12         started        16 explorer.exe 2->16         started        18 svchost.exe 9 1 2->18         started        21 3 other processes 2->21 signatures3 process4 dnsIp5 71 C:\Users\user\Desktop\os9tzxfmtz.exe, PE32 12->71 dropped 73 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 12->73 dropped 131 Installs a global keyboard hook 12->131 23 icsys.icn.exe 3 12->23         started        27 os9tzxfmtz.exe 12->27         started        83 127.0.0.1 unknown unknown 18->83 file6 signatures7 process8 file9 67 C:\Windows\System\explorer.exe, PE32 23->67 dropped 109 Antivirus detection for dropped file 23->109 111 Machine Learning detection for dropped file 23->111 113 Drops executables to the windows directory (C:\Windows) and starts them 23->113 119 2 other signatures 23->119 29 explorer.exe 3 17 23->29         started        115 Tries to detect Any.run 27->115 117 Hides threads from debuggers 27->117 34 os9tzxfmtz.exe 27->34         started        signatures10 process11 dnsIp12 85 vccmd03.googlecode.com 29->85 87 vccmd02.googlecode.com 29->87 91 5 other IPs or domains 29->91 75 C:\Windows\System\spoolsv.exe, PE32 29->75 dropped 77 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 29->77 dropped 133 Antivirus detection for dropped file 29->133 135 System process connects to network (likely due to code injection or exploit) 29->135 137 Creates an undocumented autostart registry key 29->137 147 3 other signatures 29->147 36 spoolsv.exe 2 29->36         started        89 demo.sdssoftltd.co.uk 103.67.236.191, 443, 49722 OASISGSSERVICES-ASOASISGSSERVICESIN India 34->89 139 Modifies the context of a thread in another process (thread injection) 34->139 141 Tries to detect Any.run 34->141 143 Maps a DLL or memory area into another process 34->143 145 Hides threads from debuggers 34->145 file13 signatures14 process15 file16 65 C:\Windows\System\svchost.exe, PE32 36->65 dropped 101 Antivirus detection for dropped file 36->101 103 Machine Learning detection for dropped file 36->103 105 Drops executables to the windows directory (C:\Windows) and starts them 36->105 107 2 other signatures 36->107 40 svchost.exe 3 3 36->40         started        signatures17 process18 file19 69 C:\Users\user\AppData\Local\stsys.exe, PE32 40->69 dropped 121 Antivirus detection for dropped file 40->121 123 Machine Learning detection for dropped file 40->123 125 Drops executables to the windows directory (C:\Windows) and starts them 40->125 127 2 other signatures 40->127 44 spoolsv.exe 1 40->44         started        47 at.exe 1 40->47         started        49 at.exe 40->49         started        51 11 other processes 40->51 signatures20 process21 signatures22 129 Installs a global keyboard hook 44->129 53 conhost.exe 47->53         started        55 conhost.exe 49->55         started        57 conhost.exe 51->57         started        59 conhost.exe 51->59         started        61 conhost.exe 51->61         started        63 7 other processes 51->63 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcaac39113bd17158fe86a77328f97e9c3fa14860c9c4449a8ae0768c85243f4/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 06:37:06 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xsvmheitxulrld7inj3tfd4x5hb7ufegbsoeisnivydwrscsip2a._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
3f4a0835681cef1f6fb04e96385369218b895d27f78a39112201e15cee44344f
GuLoader
57aa81416cfdbd76df2a15cb14810f8529ecab0eea978210a4ef3047f35a225e
GuLoader
6cb468ece5c221172feb8a352db446b0394d7704cf6208cea2cda8bd5adc53ff
GuLoader
863e79eefbefca07f2b0ff5689d6421ab1ec334b19466e066c744a8ad8495ad6
GuLoader
8c448af1e0de3c92f5d5d5d1ee9e7b533bca6238fbd1613c1a21ae754b7beba5
GuLoader
94bc42de09be1987a4d00906aa05b58fa2f9f1d1edc2c46dfa206c9d608b9a42
GuLoader
a6ab3a1ec39d3a4c0660bbfdbe8cbbdd89d9278cca176d7bff77d7aab00dd7ed
GuLoader
b2082661840c6ed4e199a9da37df9e37f8700aad3c9bfbb1930ef57d0dcf387f
GuLoader
d00608bb50125705c3e214e84ee2979cb7b982bc6e3ea64c0eed1ae9ad2baa87
GuLoader
e819a4e61935ca9a0b11a27c0de5fe34a74c916d442a2b9982e569cf1c3d5734
GuLoader
+ 5'491 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader evasion guloader persistence
Link:
https://tria.ge/reports/210412-89lr38pyjj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Guloader Payload
Guloader,Cloudeye
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
966b9b34ace3c324a0cfc816af437290ab2926f24bce8a50285f691418d1e308
MD5 hash:
fa6bb8f21659c6dd9b626ce85e4ea800
SHA1 hash:
02aa547c79794172fa359a15e1f54fb327cdcead
Link:
https://www.unpac.me/results/37604c2e-03e8-4098-afa2-a1914f51a909/
SH256 hash:
bcaac39113bd17158fe86a77328f97e9c3fa14860c9c4449a8ae0768c85243f4
MD5 hash:
ad0c93b574bb947cff15483eda82811e
SHA1 hash:
ad379c5a86bf646c4a079e737a364ab352107e5b
Link:
https://www.unpac.me/results/37604c2e-03e8-4098-afa2-a1914f51a909/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe bcaac39113bd17158fe86a77328f97e9c3fa14860c9c4449a8ae0768c85243f4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1107003/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133667/
  
URLhaus
https://urlhaus.abuse.ch/url/1107970/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 14:58:06 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [C0002.014] Communication Micro-objective::Read Header::HTTP Communication
2) [C0019] Data Micro-objective::Check String
3) [B0023] Execution::Install Additional Program