MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3eb1c9dae9be362c95a02f393f3da600615533c0def47835003a8a3dadcd484. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3eb1c9dae9be362c95a02f393f3da600615533c0def47835003a8a3dadcd484
SHA3-384 hash: cf558dc865b47a4712ef7eb57ff2a77d78fd76a2542a2ce1fa7695c486d0dac174e59f1198615e882104f3d7a9a8230c
SHA1 hash: 273823b9a1c758a5549d838f3024172f72f5e65e
MD5 hash: 0379cf12ef3850e1d9232774a3d469c0
humanhash: butter-red-harry-autumn
File name:0379cf12ef3850e1d9232774a3d469c0
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2021-09-20 15:38:09 UTC
Last seen:2021-09-20 17:00:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 40768f14753bfb2d577d092577251956 (4 x GuLoader)
ssdeep 768:ZWpUGQd8h4JV7CH2pLiijD2EZskFEH1Czt5jHzGkj1KOX+2W3Rt/+M1p7ywMwD:AwgWHpR0HczTzG4r8t/Xry/wD
Threatray 5'435 similar samples on MalwareBazaar
TLSH T149839E92D6F40CFFE996877D08727A740146FC565B24EE0B28887F0D3BB1786A7A0764
Reporter zbetcheckin
Tags:32 exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ITEM LIST 20092021UOC.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-20 14:31:44 UTC
Tags:
encrypted opendir exploit CVE-2017-11882
Link:
https://app.any.run/tasks/7691d7a2-29d1-4a68-89c7-02315391b2ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189512/
Detection(s):
SecuriteInfo.com.Variant.Razy.936011.19447.730.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Malware family:
Kpot stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2bc15128-3eb8-4e37-b0a5-73757a27a357
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854203
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3eb1c9dae9be362c95a02f393f3da600615533c0def47835003a8a3dadcd484/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 15:38:28 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
07a7e8b55aae7e593602a7dc0e67dbf0debb3ccd4c4d769d7fab0e34a675b4e7
GuLoader
0dc21b62ca8b3140169ed54ed05f7324709f92266a83a60556a65e9833ba353c
GuLoader
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
GuLoader
41ab72f9ce1e64f569029d8b3f8c2fdf680fb75113b8d7451bc8d988cd5f6bd2
GuLoader
44a9a29d7cddbe89d5b983dd0286aaa532e785af356cc8d88b645deeb0251fed
GuLoader
49de4524bd749523e1a8239eb6edecc62605ef2ed40852306795b839dec39270
GuLoader
548aefb935e11a84133bd8b3d367d988b9ad2e3bde7f4c0fffcf6a94b529be72
GuLoader
7afa7c7724abb034d3155e1e1fc1fd3f9961e56fd6119428d975d8aaee3070f9
GuLoader
e13745c95f7bcf403f519efbdf2ab8988f5237c20f9054d994e1e3d8ecf12784
GuLoader
+ 5'425 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210920-s3l4nahbdn/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Guloader,Cloudeye
Unpacked files
SH256 hash:
c3eb1c9dae9be362c95a02f393f3da600615533c0def47835003a8a3dadcd484
MD5 hash:
0379cf12ef3850e1d9232774a3d469c0
SHA1 hash:
273823b9a1c758a5549d838f3024172f72f5e65e
Link:
https://www.unpac.me/results/15a9d518-8263-4212-8456-f3fc759cd7ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c3eb1c9dae9be362c95a02f393f3da600615533c0def47835003a8a3dadcd484

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe c3eb1c9dae9be362c95a02f393f3da600615533c0def47835003a8a3dadcd484

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1635997/
Cape
Cape
https://www.capesandbox.com/analysis/189512/

Comments


Avatar
zbet commented on 2021-09-20 15:38:11 UTC

url : hxxp://192.227.225.173/0789/vbc.exe