MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e894ef9ffce56aa490655d0c7693a51a4125f3e49abba3ddbf9c0d2da250c768. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	e894ef9ffce56aa490655d0c7693a51a4125f3e49abba3ddbf9c0d2da250c768
SHA3-384 hash:	fd69533494a8c322c74273f0802813216e43ce6331d12fac51876539c58e248298c3f54fda1abbe57f89a879688b5f45
SHA1 hash:	141bfd0bb27e8ecba252638358af79cbdcf2500d
MD5 hash:	a03279f904c9237ce94277d7dabcc609
humanhash:	tennessee-zebra-connecticut-hot
File name:	e894ef9ffce56aa490655d0c7693a51a4125f3e49abba3ddbf9c0d2da250c768
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	332'790 bytes
First seen:	2023-04-04 13:01:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep	6144:GT4DtMmNNsy4e5ax+/lJOlUWPvXd0XXbr+YmWgOt2MYy8taU9mdf9qTqNxzncD:GT9Y5ax+/lJqU8d0XXWYmCYMOzEQTqNK
Threatray	1'471 similar samples on MalwareBazaar
TLSH	T105641221B1C0C533DD7216356E67172A8D33AC65BB90ABC753803E6AFDB21D2C90E799
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	60e4f4d86c6474fc (2 x GuLoader)
Reporter	adrian__luca
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

236

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e894ef9ffce56aa490655d0c7693a51a4125f3e49abba3ddbf9c0d2da250c768

Verdict:

Suspicious activity

Analysis date:

2023-04-04 13:01:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1b821ab9-42c9-4440-bc32-1b6b6a950a3a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/380025/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.66125397.30395.30391.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Delayed reading of the file

Creating a file in the %temp% subdirectories

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/76505/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo guloader nemesis overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/642c1fcb35c10d8aaf28995c/reports/ac347cbe-7351-4a30-8386-b412403f8a89/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e894ef9ffce56aa490655d0c7693a51a4125f3e49abba3ddbf9c0d2da250c768

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7fdfc0f0-d598-4b39-a56d-01245c37b81a

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1208149

Signature

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e894ef9ffce56aa490655d0c7693a51a4125f3e49abba3ddbf9c0d2da250c768/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2023-03-27 13:43:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 37 (56.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5cko7h744vvkjedflughne5fdjasl47etk52hxn7tqgs3isqy5ua._file

Verdict:

malicious

GuLoader

4709918939b87a9c054e217770dc158f33c7446815b548d5dabd4a6b138b61b8

GuLoader

486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5

GuLoader

799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21

GuLoader

cf890935581d55d30342de2c71190393c3c03b99258ba7a1e3e3139099ee0b97

GuLoader

cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1

GuLoader

cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3

GuLoader

f7f5898bbed2b677a52a031071110b8aebb4b3eba2669703f6dd60e6953dc2a2

GuLoader

+ 1'461 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230404-p9r2psgh6y/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Checks QEMU agent file

Loads dropped DLL

Unpacked files

SH256 hash:

7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

MD5 hash:

564bb0373067e1785cba7e4c24aab4bf

SHA1 hash:

7c9416a01d821b10b2eef97b80899d24014d6fc1

Link:

https://www.unpac.me/results/b6af357a-11a3-4c4b-a915-5dc9c7ccb59a/

SH256 hash:

e894ef9ffce56aa490655d0c7693a51a4125f3e49abba3ddbf9c0d2da250c768

MD5 hash:

a03279f904c9237ce94277d7dabcc609

SHA1 hash:

141bfd0bb27e8ecba252638358af79cbdcf2500d

Link:

https://www.unpac.me/results/b6af357a-11a3-4c4b-a915-5dc9c7ccb59a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e894ef9ffce56aa490655d0c7693a51a4125f3e49abba3ddbf9c0d2da250c768

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/380025/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample