MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbbf5f08eb9fd0467576bf23b709d414ce9e7061b028c29ce08f179af6e60a97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbbf5f08eb9fd0467576bf23b709d414ce9e7061b028c29ce08f179af6e60a97
SHA3-384 hash: 9cbb2faa29f4603f7de8e5fdc92bad6da85003fe2c249098591780b64f282cbb7c82ecdf7710be84c19d53f1e331057d
SHA1 hash: 3007594000d3a7d7d290bd36315b5cc864aaecb5
MD5 hash: 2c9f511933be212919e1da550603dc98
humanhash: september-triple-may-kansas
File name:PackingList.com
Download: download sample
Signature GuLoader
Create hunting rule
File size:150'192 bytes
First seen:2022-09-14 02:22:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 3072:3s77w1OlWUt1uIkbUVWvSrw9JfuyFGPn65COjiLS3OF6ZfS3ht:cmOPMwWac9JfuyFG/2CMESRq
Threatray 14'339 similar samples on MalwareBazaar
TLSH T150E3F1154AA4C4B7EA528B302E784B6FAFBD770620754B4B23509FAD3A237D2CD5C319
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Revelment Tirzah Swimming
Issuer:Revelment Tirzah Swimming
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-18T16:13:06Z
Valid to:2025-08-17T16:13:06Z
Serial number: -316918b025d5adb0
Thumbprint Algorithm:SHA256
Thumbprint: 30d4a1b3be49434f2b5776a158b872335308ee98b7446ce2e601bc4b311f414b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
396
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309892/
Detection(s):
SecuriteInfo.com.NSIS.Injector.AOW.tr.31833.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Searching for the window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37611/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader nemesis overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63213b81ba7b8113dd5d360b/reports/51d3e4d7-d572-41cc-89e0-1df3a3bf504f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d5a1de5c-7c32-4a0d-ab5a-fc6362dad3c7
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1069959
Signature
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbbf5f08eb9fd0467576bf23b709d414ce9e7061b028c29ce08f179af6e60a97/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-12 15:45:36 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zo7v6chlt7iem5lwx4r3ocoucthj44dbwaumfhhar4lzv5xgbklq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
153fb690a1f464ba3a1c37d1d8d103010a54a00bd10eb86ead709e275dc5d302
GuLoader
1d3e8941eb686b154fca77b2c80b84a19fdf21ebd298dc55d4519310ed011add
GuLoader
3a364b193d256ee86f9c7dc66ca6322f64ffacda0685e98d9909ad90a595831b
GuLoader
53cd75c785b440cbc32ded5c23144e59ec2d910618f3733dff686cefb699310c
GuLoader
57db1a9611191d01fbe260f052e87a6fb0cf7dbb1644079727627252ee3e109a
GuLoader
6730e52c8075c7e044c2bbaf9f7ad8c0f7f8d03fb23adbd2331adc8b591caec7
GuLoader
6ab1444d305f5a3ffafd05cadd42ac71f058ad19257f67b0210d847848b8a06e
GuLoader
ab1f192fb8f916dcd581face8064290632cc84049382de572156f4538cdec085
GuLoader
f93da7562182b8456d6c88c58d90c745004aaef0979a2a98a06341b219bfe03e
GuLoader
fe00f0b94120e6994117bf92c39940b5a499821e3684163cae07a8fb0ea1c5f1
GuLoader
+ 14'329 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220914-ct5awachal/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/54f97f63-1462-41b3-89ff-7e1496ed3797
Unpacked files
SH256 hash:
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
MD5 hash:
8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 hash:
223bef1f19e644a610a0877d01eadc9e28299509
Link:
https://www.unpac.me/results/7ec5d15e-c543-459a-a270-003a66bd894b/
SH256 hash:
cbbf5f08eb9fd0467576bf23b709d414ce9e7061b028c29ce08f179af6e60a97
MD5 hash:
2c9f511933be212919e1da550603dc98
SHA1 hash:
3007594000d3a7d7d290bd36315b5cc864aaecb5
Link:
https://www.unpac.me/results/7ec5d15e-c543-459a-a270-003a66bd894b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cbbf5f08eb9fd0467576bf23b709d414ce9e7061b028c29ce08f179af6e60a97

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe cbbf5f08eb9fd0467576bf23b709d414ce9e7061b028c29ce08f179af6e60a97

(this sample)

  
Dropped by
guloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/309892/

Comments