MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d624b8b210c126ab30fcaba70efc90a0be4154fe53bb1e4d17ccc6d076e55d84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d624b8b210c126ab30fcaba70efc90a0be4154fe53bb1e4d17ccc6d076e55d84
SHA3-384 hash: 875558eeee5b164317e9f5ca4e40fd0f2dbe6fd15e70521980a7e7a2097f1698213bb446f92c9fb28938dc8ecaa81d25
SHA1 hash: 08f5198226d7412346e1f279da33d9cb8efb0efc
MD5 hash: bb005fca8dc49383e49fb945acec62d2
humanhash: one-alanine-video-may
File name:bin.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:101'712 bytes
First seen:2021-09-09 13:44:48 UTC
Last seen:2021-09-09 15:29:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 000ed791bfecbc3bb69fb230428c55f9 (8 x GuLoader)
ssdeep 1536:jDljylHI07E+ZTXTmbgqiBAG5TuFpO6p5TOhhQDSeM:j+HIWJqi2pf+hQOeM
Threatray 152 similar samples on MalwareBazaar
TLSH T1CCA39EF97DA05C92FBCAC0B75C71026C0C2BDEA255D51B5319B12ABC090B7C1BEA3D1A
dhash icon f87ececececece0c (10 x GuLoader)
Reporter James_inthe_box
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:aabenb
Issuer:aabenb
Algorithm:sha256WithRSAEncryption
Valid from:2021-09-09T02:28:01Z
Valid to:2022-09-09T02:28:01Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: ad49bb06501f54688d99318051f6963950a88f75c54665beca6641d34999eb8e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bin.exe
Verdict:
No threats detected
Analysis date:
2021-09-09 13:46:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6f52539b-4488-4c76-8016-6093c56c7702

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186676/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46947869.30525.30385.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42b8308f-331c-445f-8dab-ebe721d6436d
Result
Threat name:
GuLoader Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848131
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 480562 Sample: bin.exe Startdate: 09/09/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 5 other signatures 2->42 8 bin.exe 1 2->8         started        process3 signatures4 44 Performs DNS queries to domains with low reputation 8->44 46 Self deletion via cmd delete 8->46 48 Tries to detect Any.run 8->48 50 2 other signatures 8->50 11 bin.exe 67 8->11         started        process5 dnsIp6 30 smdglo.xyz 31.210.20.16, 49800, 49804, 80 PLUSSERVER-ASN1DE Netherlands 11->30 32 googlehosted.l.googleusercontent.com 142.250.201.193, 443, 49799 GOOGLEUS United States 11->32 34 2 other IPs or domains 11->34 22 C:\Users\user\AppData\...\vcruntime140.dll, PE32 11->22 dropped 24 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 11->24 dropped 26 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 11->26 dropped 28 45 other files (none is malicious) 11->28 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->52 54 Tries to steal Instant Messenger accounts or passwords 11->54 56 Tries to steal Mail credentials (via file access) 11->56 58 7 other signatures 11->58 16 cmd.exe 1 11->16         started        file7 signatures8 process9 process10 18 conhost.exe 16->18         started        20 timeout.exe 1 16->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d624b8b210c126ab30fcaba70efc90a0be4154fe53bb1e4d17ccc6d076e55d84/
Threat name:
Win32.Trojan.VBObfuse
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 09:15:30 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
08f8f2c8de752da634afbc32510b0a750ee5eacc96a130aacd317bc19ce64de2
GuLoader
47c4518661a80adc00b208c24ba1726bd1074360eec4c2e3d265f6c412f745f9
GuLoader
48a9a59f8f5afdc2bbf18d636f058d32538336577487cdbba99f6b63e367dbb6
GuLoader
5202c86ff05c916da27a70ed912bd5310473d337747f1b38e475fa1e7e6310c4
GuLoader
74930326e1b80d4c6107fd1e1e681f096848bdb61e8db08707cdbda38a6d1f73
GuLoader
7754406e305f40d2a17def7c7d64ed01e3911f18368e36e64b90af21c48a91c4
GuLoader
81462d560b4bf3660bc4eb2c57b827c7e09dea12f4d590ed05880c3d0fc560cb
GuLoader
8eea0ae9eab289a6827156361ffad7987cebe3429422ba07724fa6921a47b2d0
GuLoader
b923011216d37106f2f497f12097ecd3412caca89edee1a49e8090b94344a310
GuLoader
f473972f1bc6adb86928a21d4a7af08550aec0ca5c17056a95e830142a2e8f11
GuLoader
+ 142 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210909-q2f5xabdek/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
d624b8b210c126ab30fcaba70efc90a0be4154fe53bb1e4d17ccc6d076e55d84
MD5 hash:
bb005fca8dc49383e49fb945acec62d2
SHA1 hash:
08f5198226d7412346e1f279da33d9cb8efb0efc
Link:
https://www.unpac.me/results/a0407fe6-90a1-4bd5-8e66-18d6b8e09fb7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d624b8b210c126ab30fcaba70efc90a0be4154fe53bb1e4d17ccc6d076e55d84

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/186676/
  
URLhaus
https://urlhaus.abuse.ch/url/1605625/

Comments