MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e947261444b110a5604981645a6d057a9603a1a6919a45a3f5c61a2d713aff5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e947261444b110a5604981645a6d057a9603a1a6919a45a3f5c61a2d713aff5d
SHA3-384 hash: 3a80833b589049a714fd9104559a697c254aa7f8412a5c4b9591201759c324062bab55808174e73a5cbc3b7f21e77c25
SHA1 hash: 9755c4f7d746f444827702376c07a999598f582c
MD5 hash: 9b509f1166db541d542bf77b272fe5f3
humanhash: tennis-mars-magazine-victor
File name:9b509f1166db541d542bf77b272fe5f3.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:73'728 bytes
First seen:2020-12-25 08:00:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4123d3273ece186755bbc75ab8123f11 (1 x GuLoader)
ssdeep 1536:2xerXhDHOJaeD0GjU5UM12MvMpVPrV/lXh7tx:2YzhfeDJ45Ugg1h5t
Threatray 1'741 similar samples on MalwareBazaar
TLSH 9B736D1354BC4962DB9552B018BF0AA20FA2DC601D72CF4A599BF8EE5C71F0A749E13F
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
https://onedrive.live.com/download?cid=AB6E06790CD863C3&resid=AB6E06790CD863C3%211146&authkey=ABp681BUAZMrJTM

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4a2bdf8ab2f1fb98d21c676cf528528c.zip
Verdict:
Malicious activity
Analysis date:
2020-12-22 05:37:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bc525067-46fe-4979-a9e2-f3bf50e9c2e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/109427/
Detection(s):
Win.Dropper.Remcos-9816847-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Sending a UDP request
Launching a process
Creating a file in the %temp% subdirectories
DNS request
Creating a file
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/570018
Signature
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e947261444b110a5604981645a6d057a9603a1a6919a45a3f5c61a2d713aff5d/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-12-22 12:57:07 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5fdsmfceweikkycjqfsfu3ifpklahingsgneli7vyync24j275oq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
guloader
Create hunting rule
Similar samples:
1befcab4a8d97cea8592fa608814f038fd956a5f1f2ddfd9ee8b9402045a705a
GuLoader
4791861118e0be776fd14153e2feca7d25f5a91a6c32a997385f5ae272e3d7c8
GuLoader
56369cd0a8b7843a6e6c9bef3de71498a19c4e4be23cacb868b8ec1d21286f36
GuLoader
6e5043ac0e1d89c4ee31f53d1571b47fc57545c48bcc4bc2c904295ddd114684
GuLoader
751f457af44bf0eeb364517ef0ca6683cb139c4da430f14a5d62d271b9d6f586
GuLoader
aaacdc757d39cd544288dcc7d9fc635dfc4942ed360b63c7be0d79525697fe30
GuLoader
b20763ef2da523cc3f4dba41af4d4248bae939b8834c5a746bbff398431989d0
GuLoader
bbdbb7ca68c199a7b030b900434d79f3fe59ab20fdb4ed910609fc5f91599c57
GuLoader
d8d57620d6da63dbdfc7210c6ae721940e95e62f0473053e09770a2763c07ecf
GuLoader
f6c8f18b6a8db8307ea07c171236d118f91924e497027eeb305800ba2eee4fbe
GuLoader
+ 1'731 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/201225-hhffjcj8cs/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
e947261444b110a5604981645a6d057a9603a1a6919a45a3f5c61a2d713aff5d
MD5 hash:
9b509f1166db541d542bf77b272fe5f3
SHA1 hash:
9755c4f7d746f444827702376c07a999598f582c
Link:
https://www.unpac.me/results/8a7cb3ee-a580-4726-bc11-0061a1eb6356/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e947261444b110a5604981645a6d057a9603a1a6919a45a3f5c61a2d713aff5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/941901/
Cape
Cape
https://www.capesandbox.com/analysis/109427/

Comments