MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3505c8ff7b748f4025591beddfc1ba61d58121f9fccdda86ea63235b4f64827. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3505c8ff7b748f4025591beddfc1ba61d58121f9fccdda86ea63235b4f64827
SHA3-384 hash: 59b22a15f323213cc687680bb5d155c1e4bb0a8949db522581c1142720305705b5bab3079bf83e160c0bb90410590941
SHA1 hash: 27e5fd5581ec69e30ad2a2633338707c3211ba9c
MD5 hash: 1e2e1c1aa43679e380929d21afffc7f2
humanhash: romeo-two-jupiter-twelve
File name:1e2e1c1aa43679e380929d21afffc7f2.msi
Download: download sample
Signature GuLoader
Create hunting rule
File size:8'049'152 bytes
First seen:2022-01-25 09:37:57 UTC
Last seen:2022-01-25 11:30:35 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:6wJVFMZIul4lgu5JzKu3kwOmgJU2mc+bt52U1s3HsKF13:5JVFLul4Ku5YuimGU2KKU1s8KF13
Threatray 205 similar samples on MalwareBazaar
TLSH T10086F1A239958A32E57E52B064A6CA3314FBBD951B7110EF63DF446A0EB15CD43B0F32
Reporter abuse_ch
Tags:GuLoader msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/222272/
Detection(s):
PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

Sanesecurity.Badmacro.Xls.credriv.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm control.exe evasive fingerprint print.exe remote.exe replace.exe shell32.dll
Link:
https://www.filescan.io/uploads/61efc5000f8c757253e62384/reports/b7639319-8e08-4a08-9dd5-73a45852bfe5/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c3505c8ff7b748f4025591beddfc1ba61d58121f9fccdda86ea63235b4f64827
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/926915
Signature
Multi AV Scanner detection for submitted file
Opens network shares
PE file has a writeable .text section
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3505c8ff7b748f4025591beddfc1ba61d58121f9fccdda86ea63235b4f64827/
Threat name:
Win32.Trojan.Babar
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 00:50:11 UTC
File Type:
Binary (Archive)
Extracted files:
102
AV detection:
13 of 43 (30.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynifzd7xw5epiasvsg7n37a3uyovqeq7t7gn3kdouyzdlnhwjatq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
02cead8bc66fb8b15702508eb0681a0c2f26846962fd95cf621f84d481454927
GuLoader
21b86d066be79ef02c1e00c3be9bf22c4087d4122569543d2c8854ccb8a9b129
GuLoader
3529493db869e38f4cc8d85f0b5e3964abb6b9aa9e053b6884b47ff610551239
GuLoader
368a995009f0a3324ed392ed8411bd64c41d091fb22ef20170f9c9fd50ee8c8a
GuLoader
41ea97dc0c4e1ed234b29c6cee2de9d3a9201942044b9246e108c00f541d0150
GuLoader
c5d5bd4d5b66de5559e4ebb98251b74b49baa08a50cfc8f69b2c9005fcc861a4
GuLoader
e1530e55a185d7733d470ba0e450464c7e9a95425025a51b79a3795b9f44ada9
GuLoader
ea444236afe9351a13e2d6d4652553c7426e424da8f16cae64026c4413c78a2a
GuLoader
f016bb4e883c001c82a4cf91745844f14b76fd015a2747c491badae79c2b0911
GuLoader
f3e180897f615a8d54fbe97faebd15e80be7358a3d4aa7ea8511a73285b3fe85
GuLoader
+ 195 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx
Link:
https://tria.ge/reports/220125-ll3lradch2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
UPX packed file
Suspicious use of NtCreateProcessExOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/c3505c8ff7b748f4025591beddfc1ba61d58121f9fccdda86ea63235b4f64827

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/222272/

Comments