MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db2fc817af6b9f6d4a4b1ad1a837d9e56b8f8be9ee52266eded777d1f4b5a28b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	db2fc817af6b9f6d4a4b1ad1a837d9e56b8f8be9ee52266eded777d1f4b5a28b
SHA3-384 hash:	84101c2090f81b0b13fd10f881f5c708393fdced020c29754db0b80d990f437d483b2926bdf8b341eabce1283ce165bb
SHA1 hash:	95d8f6d7a8c5096b15b8ce9cf2aa44992251445e
MD5 hash:	cca85b09c94d8eff9e7f898f873f88ae
humanhash:	butter-jersey-king-sink
File name:	db2fc817af6b9f6d4a4b1ad1a837d9e56b8f8be9ee52266eded777d1f4b5a28b
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	344'336 bytes
First seen:	2022-12-07 14:02:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep	6144:eVGdx6xDFvo/u/8ITnWHMJWjYc7CedZckqjSGAjTJ:qXvoY8ICHTWePck0zAjTJ
Threatray	18'758 similar samples on MalwareBazaar
TLSH	T1BF749E919110F16AD33188BED11F18F68E6AFC65E205783756513FEB3AB5E818123F2B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	adrian__luca
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-04-30T09:42:22Z
Valid to:	2025-04-29T09:42:22Z
Serial number:	2b16fbffaa159331
Thumbprint Algorithm:	SHA256
Thumbprint:	65cd78ca1ce35e7757604e4da30e353b157e2699f6c34037e2aada3de432cacf
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

188

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

db2fc817af6b9f6d4a4b1ad1a837d9e56b8f8be9ee52266eded777d1f4b5a28b

Verdict:

No threats detected

Analysis date:

2022-12-07 14:01:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2c9e02a8-3a6b-4f5b-aa8b-62211f36a9c2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/343993/

Detection(s):

SecuriteInfo.com.NSIS.InjectorX-gen.21713.9127.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Creating a file in the %temp% subdirectories

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63909d17f6e448d42df787e4/reports/ba9973c0-4e0e-4359-9b23-471c20776db1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/38206715-cc97-4a55-aabd-dacb061f8826

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

evad.troj

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1129966

Signature

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/db2fc817af6b9f6d4a4b1ad1a837d9e56b8f8be9ee52266eded777d1f4b5a28b/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-11-17 18:17:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3mx4qf5pnopw2ssldli2qn6z4vvy7c7j5zjcm3w62535d5fvukfq._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

7c6f7db15d2a2982a12d818ab85a279a97139d4138ac36cdb791fdb3f9bd47fc

GuLoader

7fa4a11b501e03019ad7b90d08c297554cd7c5e9b49de7aacfba190db630e5a4

GuLoader

82a78e7776925c9f48f60d863ac5061e4edeca3bc560d9e6057d4f3dbb51ddf8

GuLoader

8f4d63fea00eca6d91147de6a10b7aae6069f164ef00d5986eff571249552dae

GuLoader

b3c83ca8ac0be1a91267ff0c5f12e3db8b08b4fa0c8c44df69a4a358c946bbee

GuLoader

b689885667b1f8a29bafedff5fc69526534732ebb7731d98bbc06f7005b245d5

GuLoader

e7708401091962a6b59c0bd32d966d0c34902de5d927b27c8e13f9123c8606d1

GuLoader

ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83

GuLoader

f857890d674a9d4abd8ef6d735c7c03eef0a75777c64cb4a62917d12b68dcbfa

GuLoader

+ 18'748 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/221207-rcnzwsac3w/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9939eb88-50f8-4bad-bfc7-7f4fc4d46f24

Unpacked files

SH256 hash:

a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

MD5 hash:

75ed96254fbf894e42058062b4b4f0d1

SHA1 hash:

996503f1383b49021eb3427bc28d13b5bbd11977

Link:

https://www.unpac.me/results/7a8b774e-2b7d-49f1-8ac6-3f0c05560c8b/

SH256 hash:

db2fc817af6b9f6d4a4b1ad1a837d9e56b8f8be9ee52266eded777d1f4b5a28b

MD5 hash:

cca85b09c94d8eff9e7f898f873f88ae

SHA1 hash:

95d8f6d7a8c5096b15b8ce9cf2aa44992251445e

Link:

https://www.unpac.me/results/7a8b774e-2b7d-49f1-8ac6-3f0c05560c8b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/db2fc817af6b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/db2fc817af6b9f6d4a4b1ad1a837d9e56b8f8be9ee52266eded777d1f4b5a28b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/343993/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample