MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee
SHA3-384 hash: f7ccaf36cde06fa29d2ca855a726a401d430d83704b3590618a108a146ba15f287178b939aab64166a84b920adbc73d2
SHA1 hash: 843d243a71131baf9fbe0fcf4ba129f51ee74c8f
MD5 hash: 2046b941817392e3815535fccb1f39dc
humanhash: eight-leopard-jig-florida
File name:2046b941817392e3815535fccb1f39dc.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:114'688 bytes
First seen:2021-08-03 07:39:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5565993a5a9f2bfb76f28ab304be6bc1 (7 x GuLoader)
ssdeep 1536:BUS3/zw2m3c39SYeXvmgU2sIMflWub4cL51tY4SQmiPYElZ943ckw2mUS3/:BT/zM3c3bcBsIMfQuDaSZS3ckYT/
Threatray 5'253 similar samples on MalwareBazaar
TLSH T135B39C8A950837BDC37711345FF37EA803E68D1A807298D9EBB7FD29185B2A0350477A
dhash icon 92b3d098caea4c93 (1 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2046b941817392e3815535fccb1f39dc.exe
Verdict:
No threats detected
Analysis date:
2021-08-03 07:43:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a52566ce-aa7f-48d0-9bea-d8cc705b8029

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175955/
Detection(s):
Win.Malware.Generic-9883557-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/64a58115-361e-465a-b9d1-1dbecdb52bfc
Result
Threat name:
GuLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825943
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates autostart registry keys with suspicious values (likely registry only malware)
Deletes itself after installation
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 23:36:48 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1942767aa808c15413e31d945174cdea44f4eeed5da3d5831aff879c90eb7609
GuLoader
2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3
GuLoader
55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
GuLoader
5e3c17b9a8fb04fc0de847833073fba6b1f5b4c302c003cfb888f93e4bd54adf
GuLoader
60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5
GuLoader
73b83d70f24909aea7920a86029b43198979d7e31ab768619371e12fc7399f93
GuLoader
8179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17
GuLoader
96beaff70c51e04f38db0943eddd24ecc142ef2815d536b82655e25fbf5a54db
GuLoader
ae98329a85df13c2051e0090dc455032f1202eb36da3df3c17ac36f94d0b95e0
GuLoader
faf4898dc104ee27f1d2adafa647094f57d9b282d6b3e7654c78e3d55eada723
GuLoader
+ 5'243 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210803-4xcq4n968s/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee
MD5 hash:
2046b941817392e3815535fccb1f39dc
SHA1 hash:
843d243a71131baf9fbe0fcf4ba129f51ee74c8f
Link:
https://www.unpac.me/results/677a590f-28da-4cb0-b511-f24d9ae769d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/175955/
  
URLhaus
https://urlhaus.abuse.ch/url/1489223/
  
Delivery method
Distributed via web download

Comments