MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9da34178f5af034a46aa98a5df2b516854bc866670358c18c5c61266a8fd351. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	d9da34178f5af034a46aa98a5df2b516854bc866670358c18c5c61266a8fd351
SHA3-384 hash:	38a953b3a0043033f7130c217ceb925774fe6c6ecee3d6b51238ea57ae3ff46dbe3dcc7e20c0e6a134e1e637bcbef605
SHA1 hash:	4f293e632c1cd5c316c223ab3d3674fd6ad8db9f
MD5 hash:	cbb369d68ea3c7ecb9df79796016dc36
humanhash:	delaware-triple-nitrogen-virginia
File name:	cbb369d68ea3c7ecb9df79796016dc36.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	106'496 bytes
First seen:	2021-05-14 18:10:43 UTC
Last seen:	2021-05-14 18:46:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	67f10a91110943b1e66ce1a1b097152b (3 x GuLoader)
ssdeep	1536:lUZv5gtUhx2V/qt/DaUj3bgZXE8S85bO/DkW/5XoafTHe:lYv53hx2V/M/DD0UJkO36
Threatray	1'312 similar samples on MalwareBazaar
TLSH	21A3F6736740FA34D95688B3051602A90BA1ADB00D25095BFFC63609AEB1FDB9DF1BD3
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

GuLoader payload URL:
https://dalmatiaaeterna.hr/potpis/bin/bin_TKVXTgK1.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

cbb369d68ea3c7ecb9df79796016dc36.exe

Verdict:

No threats detected

Analysis date:

2021-05-14 18:23:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d29b62fa-e629-433d-8c80-3acda526bcd3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/156886/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8537522c-c2f7-43f7-adfc-4c4c13ab3585

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

rans.troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/782177

Signature

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Multi AV Scanner detection for submitted file

Potential malicious icon found

Tries to detect virtualization through RDTSC time measurements

Yara detected GuLoader

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d9da34178f5af034a46aa98a5df2b516854bc866670358c18c5c61266a8fd351/

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2021-05-14 07:42:43 UTC

AV detection:

14 of 29 (48.28%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3hndif4pllydjjdkvgff34vvc2cuxsdgm4bvrqmmlrqsm2up2niq._file

Verdict:

suspicious

Similar samples:

6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092

6f33f5e3a23420dacdc26fb8e2eef07fe482e634d4b832b0917cbe7ed37864f5

815b5f62adb35607df07859bfd1b75763bf525643e7f21d5a0f8803dd0e86be4

8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047

a33b31af132d492e1eb511ed37087a9c52af1f7dd575fa63634fa9b4170daaa7

a5fb63409bbc68224d3e2be7511cc6a49fd205892813890c3a76feeabd5a5e56

c2544476ab17fd3fb816a97f08f16548a73c106cca80e1f5e185086d25a9f414

c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292

e779b9901336cc05561d85c591f9efe628234c5f3ed2d072f00f8e370711072d

fd5a380a446107f3648301abfefda6b5269ecc51ccf21fb850a8d70332ab962b

+ 1'302 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210514-a6k72fg3yn/

Behaviour

Suspicious use of SetWindowsHookEx

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/d9da34178f5af034a46aa98a5df2b516854bc866670358c18c5c61266a8fd351

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe d9da34178f5af034a46aa98a5df2b516854bc866670358c18c5c61266a8fd351

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1229900/

URLhaus

https://urlhaus.abuse.ch/url/1229577/

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/156886/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample