MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7a04a58e4ac828ba603e853f62a99eed25cac2bdc0eea70a5ead997c5d7962c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	c7a04a58e4ac828ba603e853f62a99eed25cac2bdc0eea70a5ead997c5d7962c
SHA3-384 hash:	7b2afa0fbebe8ffabe2e2b3d3937104b9051ad9803533bea9962cbc5573f2be5ded19b9d2bb82d5a0ee45b8b3ef7ff67
SHA1 hash:	e42ba7f0855daea5e5884616a48617891f25cf6f
MD5 hash:	c7fb82df5c9cc147a9cd5d0a8fb58f7f
humanhash:	don-quebec-failed-oven
File name:	PO853653-35683JKD0884-8854003559254_Order.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	164'880 bytes
First seen:	2022-09-29 00:57:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e160ef8e55bb9d162da4e266afd9eef3 (140 x GuLoader, 33 x RemcosRAT, 17 x AgentTesla)
ssdeep	3072:kCaZ2Yrb0VTXJY84OoybUddN5ywEUi5VQ2zWMgRMvxg5HpJffO6T4RY:kCIo2bAbU10UaVRzWz6vxgHQM
Threatray	4'168 similar samples on MalwareBazaar
TLSH	T155F3F18E63D08127E59449F00E76E7BACFB6BE5014231973335CFFAE6674A0255242BB
TrID	92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	70b83b396decfc0c (2 x GuLoader)
Reporter	Anonymous
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-09-28T20:13:16Z
Valid to:	2025-09-27T20:13:16Z
Serial number:	46a84ea59480dae7
Thumbprint Algorithm:	SHA256
Thumbprint:	7a5cf68c9162c5a1f059675cbadc486ac968224a5b1f662f380ad275d3e68025
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

1

# of downloads :

467

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/314549/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.5566.15954.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file

Sending a custom TCP request

Creating a file in the %temp% subdirectories

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6334ed9cd089a0c15dd2a6ab/reports/83dd9b4e-90a2-4983-9997-9b2086f5c935/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c4ca7c78-fbed-4aef-b046-729eb4234fc4

Result

Threat name:

GuLoader, Remcos

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1079665

Signature

Initial sample is a PE file and has a suspicious name

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected GuLoader

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c7a04a58e4ac828ba603e853f62a99eed25cac2bdc0eea70a5ead997c5d7962c/

Threat name:

Win32.Packed.Krynis

Status:

Malicious

First seen:

2022-09-29 00:58:08 UTC

File Type:

PE (Exe)

Extracted files:

4

AV detection:

5 of 26 (19.23%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y6qeuwhevsbixjqd5bj7mkuz53jfzlbl3qhou4ff5lmzproxsywa._file

Verdict:

unknown

Similar samples:

12294db47384dc27b2fa9acf8167d7a0562a8d80aee861af40dc551a5b47ef34

200f037c6b5ea5be4526e928cd5aa0dbc5d7f6ab48f446cdff0ff07fed2db738

27c740dc023d79e8897ae7723a8749d9036b1f45cc0db69a465f9b5541009e90

5b44d377e2ac43e289acf6f2ce0c3062955c523886c79f4235317535a563ec9c

6d4d55abaccc1b19903ceb6c96d760327bb9c87a744a8806bfb242d547c9e6e3

72479e7e8d565858c426ef12cb410902ff74c3d42ab66874a7d12ed61f531ba4

8204d1ac916c1df101e3a4908c7231d11cfa33f2cc3524c53fb408ded548a5cd

83fef9d67405ca7975e04fc8c66e7d298809f90260d1b287f709a3bae49f502e

ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a

+ 4'158 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader discovery downloader

Link:

https://tria.ge/reports/220929-bazqlshdh4/

Behaviour

Enumerates physical storage devices

Drops file in Windows directory

Checks installed software on the system

Loads dropped DLL

Guloader,Cloudeye

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b6f07f31-d29c-411f-9505-f3a48fd759ae

Unpacked files

SH256 hash:

484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

MD5 hash:

960a5c48e25cf2bca332e74e11d825c9

SHA1 hash:

da35c6816ace5daf4c6c1d57b93b09a82ecdc876

Link:

https://www.unpac.me/results/5d864723-9f39-44d2-a8bc-b9182db0f681/

SH256 hash:

c7a04a58e4ac828ba603e853f62a99eed25cac2bdc0eea70a5ead997c5d7962c

MD5 hash:

c7fb82df5c9cc147a9cd5d0a8fb58f7f

SHA1 hash:

e42ba7f0855daea5e5884616a48617891f25cf6f

Link:

https://www.unpac.me/results/5d864723-9f39-44d2-a8bc-b9182db0f681/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c7a04a58e4ac828ba603e853f62a99eed25cac2bdc0eea70a5ead997c5d7962c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/314549/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample