MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
SHA3-384 hash: dd881553995fd497ef4f7e0f0421c7d1ff399891239a499c856766b030df52b91dcb99951182d75b5b26e19ae3125a78
SHA1 hash: 87c4790dc030726806b264083a9d8de49c0648fe
MD5 hash: 7fbe242d89cb52f689bea4126e97a33e
humanhash: four-florida-quebec-robert
File name:7fbe242d89cb52f689bea4126e97a33e.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:106'496 bytes
First seen:2021-02-18 07:06:11 UTC
Last seen:2021-02-18 08:39:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 28cfb83efbb0b6bd426b66f31651da5c (16 x GuLoader, 1 x RemcosRAT)
ssdeep 1536:OHzGAFWauXQviBcKxa64q+LpTaJlaLlUTS:5AVuXQviBBTd+LF
Threatray 200 similar samples on MalwareBazaar
TLSH C9A3B535B9A4DDF6D08484354516F3AC1513BF3288449E5FBACCBA5E2E7B6C390A0E1B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
win.exe
Verdict:
No threats detected
Analysis date:
2021-02-17 22:23:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7db0b928-55b2-4e32-a52c-a2fec7008bae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Razy.843298.26585.513.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/611123
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected VB6 Downloader Generic
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 354578 Sample: 6QlgtXWPBZ.exe Startdate: 18/02/2021 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for domain / URL 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Detected Remcos RAT 2->62 64 7 other signatures 2->64 10 6QlgtXWPBZ.exe 1 2->10         started        13 win.exe 1 2->13         started        15 win.exe 1 2->15         started        process3 signatures4 80 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->80 82 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->82 84 Tries to detect Any.run 10->84 88 2 other signatures 10->88 17 6QlgtXWPBZ.exe 4 10 10->17         started        86 Hides threads from debuggers 13->86 22 win.exe 2 7 13->22         started        24 win.exe 6 15->24         started        process5 dnsIp6 50 mtspsmjeli.sch.id 103.150.60.242, 49747, 49750, 49751 PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID unknown 17->50 46 C:\Users\user\AppData\Roaming\win.exe, PE32 17->46 dropped 48 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 17->48 dropped 66 Tries to detect Any.run 17->66 68 Hides threads from debuggers 17->68 26 wscript.exe 1 17->26         started        52 hsyuwbvxczbansmloiujdhsbnbcgywqauaghxvz.ydns.eu 192.253.246.136, 2009, 49752, 49753 LEASEWEB-USA-NYC-11US United States 22->52 70 Injects a PE file into a foreign processes 22->70 28 win.exe 22->28         started        31 win.exe 13 22->31         started        33 win.exe 22->33         started        54 192.168.2.1 unknown unknown 24->54 file7 signatures8 process9 signatures10 35 cmd.exe 1 26->35         started        94 Tries to steal Instant Messenger accounts or passwords 28->94 96 Tries to steal Mail credentials (via file access) 28->96 98 Tries to harvest and steal browser information (history, passwords, etc) 31->98 process11 process12 37 win.exe 1 35->37         started        40 conhost.exe 35->40         started        signatures13 72 Multi AV Scanner detection for dropped file 37->72 74 Detected unpacking (changes PE section rights) 37->74 76 Tries to steal Mail credentials (via file registry) 37->76 78 6 other signatures 37->78 42 win.exe 6 37->42         started        process14 dnsIp15 56 mtspsmjeli.sch.id 42->56 90 Tries to detect Any.run 42->90 92 Hides threads from debuggers 42->92 signatures16
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292/
Threat name:
Win32.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2021-02-17 20:54:06 UTC
AV detection:
16 of 47 (34.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3srk3brcqjccarxqecfazeji5uz2hcimjjwutugw54orglcokja._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
22b13820a6139c7682d5e1108aefde2200dc593e14fe7fca28eb27d5e616bef7
GuLoader
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
GuLoader
6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092
GuLoader
7499c45e246fe759ff4180bd864252689b1cbadc7825d007c7e25aa39c6a4450
GuLoader
7765b39aa0345fd2af3838a548807c90094ea98d227d625ed742260833643b52
GuLoader
7f2da313a75add2d2762a6f8ef8ca2828fb96661ab726b8aaad79ae5f89577c9
GuLoader
c0e6f7a4aa809d2b93ba137245380ada0a44ac5576935e13e165d02b1b937583
GuLoader
c120fd3e62a0ecd299625f3fbf622fb8a56b534828b6788fe766f1bc36ac7a68
GuLoader
c3ca97abe1f0584928691bf13d02b25a4e20288a2477e466d67000c0bbe04df3
GuLoader
deb7f6e76d0d27a58d7eb53380b8f399d81caa842fe188830327b9aad82afdb0
GuLoader
+ 190 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat spyware
Link:
https://tria.ge/reports/210218-ndr572zsze/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft WebBrowserPassView
Nirsoft
Remcos
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/3f1c3d3d-2de0-46a6-9e5e-b7edf9c1401a/
SH256 hash:
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
MD5 hash:
7fbe242d89cb52f689bea4126e97a33e
SHA1 hash:
87c4790dc030726806b264083a9d8de49c0648fe
Link:
https://www.unpac.me/results/3f1c3d3d-2de0-46a6-9e5e-b7edf9c1401a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1016376/
  
URLhaus
https://urlhaus.abuse.ch/url/995738/
  
Delivery method
Distributed via web download

Comments