MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 deb7f6e76d0d27a58d7eb53380b8f399d81caa842fe188830327b9aad82afdb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: deb7f6e76d0d27a58d7eb53380b8f399d81caa842fe188830327b9aad82afdb0
SHA3-384 hash: 1369c2f1ecfb2a1565e289377b1cc992d420152321719e8ff52d76d6cbc138d38a70e7daa8f5d0b939e96333d9a82297
SHA1 hash: b59c63a01d15b5282a28f894bd62cb8b95c88300
MD5 hash: 74e0e9b5a751e88b1dbe0edbe894672d
humanhash: nevada-coffee-dakota-mexico
File name:74e0e9b5a751e88b1dbe0edbe894672d.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:106'496 bytes
First seen:2021-02-17 06:53:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 28cfb83efbb0b6bd426b66f31651da5c (16 x GuLoader, 1 x RemcosRAT)
ssdeep 1536:D9BDGpKk2DLt7Dzat6ZIdErO9jOF3d3r5:DHDGYB9za0WdEN5
Threatray 46 similar samples on MalwareBazaar
TLSH B9A3D532F951DDB9D14884358102F7EC4917BF318844592FBACD7B5E2A3B6C294A4E2B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
http://185.161.211.58/Ose_2021%20remcos%20NOIP_fdrlZZb177.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117492/
Detection(s):
Win.Malware.Razy-9832618-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Sending an HTTP GET request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/609861
Signature
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/deb7f6e76d0d27a58d7eb53380b8f399d81caa842fe188830327b9aad82afdb0/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-02-15 16:52:27 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3237nz3nbut2ldl6wuzybohtthmbzkuef7qyrayde642vwbk7wya._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
22b13820a6139c7682d5e1108aefde2200dc593e14fe7fca28eb27d5e616bef7
GuLoader
444dbf26e5c9f7309acd880592c76eb0cb588a33f8ed51ee735ab6d623d64256
GuLoader
593f9422a79559ab792b98a272ebd5db883b8a85f34de6a6f05f1c900b221dc5
GuLoader
7499c45e246fe759ff4180bd864252689b1cbadc7825d007c7e25aa39c6a4450
GuLoader
7765b39aa0345fd2af3838a548807c90094ea98d227d625ed742260833643b52
GuLoader
7f2da313a75add2d2762a6f8ef8ca2828fb96661ab726b8aaad79ae5f89577c9
GuLoader
ae3974aeea651951c5c5802cf7a556c7626529790db1fd34f29be31c29f58ce2
GuLoader
c0e6f7a4aa809d2b93ba137245380ada0a44ac5576935e13e165d02b1b937583
GuLoader
c120fd3e62a0ecd299625f3fbf622fb8a56b534828b6788fe766f1bc36ac7a68
GuLoader
c3ca97abe1f0584928691bf13d02b25a4e20288a2477e466d67000c0bbe04df3
GuLoader
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210217-3cdwcm2tkx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/42da4844-a479-440c-8aef-3315ab1d9912/
SH256 hash:
deb7f6e76d0d27a58d7eb53380b8f399d81caa842fe188830327b9aad82afdb0
MD5 hash:
74e0e9b5a751e88b1dbe0edbe894672d
SHA1 hash:
b59c63a01d15b5282a28f894bd62cb8b95c88300
Link:
https://www.unpac.me/results/42da4844-a479-440c-8aef-3315ab1d9912/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/deb7f6e76d0d27a58d7eb53380b8f399d81caa842fe188830327b9aad82afdb0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe deb7f6e76d0d27a58d7eb53380b8f399d81caa842fe188830327b9aad82afdb0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1015305/
  
URLhaus
https://urlhaus.abuse.ch/url/995739/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117492/

Comments