MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eecc0370c5fa57f7dc1f39cab12ae1d912dda32f98cde16b1e3cf6d6fe6a755f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eecc0370c5fa57f7dc1f39cab12ae1d912dda32f98cde16b1e3cf6d6fe6a755f
SHA3-384 hash: 9ca7c2b0ed122b7a7159f683ed14b7b318b31228d19f25d2be1856a09434315c0106640ec368ab4329a04174f505f981
SHA1 hash: baa53b11c99a11e92b56ddef0bfa57972a1f90df
MD5 hash: 96b2c532c7578f7b3a505148857daa11
humanhash: solar-moon-nineteen-romeo
File name:Athrill.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:362'685 bytes
First seen:2022-06-22 11:22:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:t3yddvw8pSu11iGiiirEZCy5O78+3aPrGRbWutQE5JL/2EG1jTa/1vnr0X7wVSpl:t3yztT1iGiiig5/jhsh/xo+2eW/47o
Threatray 2'348 similar samples on MalwareBazaar
TLSH T10474509CEC794ECBEB7C2AB1EAF2849519E75DFE41F1225DB67491300B63F610C0A825
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a292cab4ba9ec6a2 (1 x GuLoader)
Reporter malwarelabnet
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/282276/
Detection(s):
Win.Dropper.Nanocore-9947074-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/22283/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader nanocore overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62b2fbde1fcdba4e1a48f09c/reports/27e4a996-0b07-4393-80ff-0fbd5cc8e212/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/681bf0c1-32a6-4e4b-a923-3789ce602a51
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1017833
Signature
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 650332 Sample: Athrill.exe Startdate: 22/06/2022 Architecture: WINDOWS Score: 100 22 smtp.1and1.es 2->22 24 mail.1and1.es 2->24 26 3 other IPs or domains 2->26 34 Snort IDS alert for network traffic 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected GuLoader 2->38 40 2 other signatures 2->40 8 Athrill.exe 1 28 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\Local\...\System.dll, PE32 8->20 dropped 42 Writes to foreign memory regions 8->42 44 Tries to detect Any.run 8->44 46 Hides threads from debuggers 8->46 12 CasPol.exe 11 8->12         started        16 CasPol.exe 8->16         started        signatures6 process7 dnsIp8 28 smtp.1and1.es 212.227.15.142, 49751, 49752, 49753 ONEANDONE-ASBrauerstrasse48DE Germany 12->28 30 googlehosted.l.googleusercontent.com 142.250.186.65, 443, 49744 GOOGLEUS United States 12->30 32 drive.google.com 216.58.212.142, 443, 49741 GOOGLEUS United States 12->32 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->48 50 Tries to steal Mail credentials (via file / registry access) 12->50 52 Tries to harvest and steal ftp login credentials 12->52 58 4 other signatures 12->58 18 conhost.exe 12->18         started        54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->54 56 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->56 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eecc0370c5fa57f7dc1f39cab12ae1d912dda32f98cde16b1e3cf6d6fe6a755f/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-06-22 07:42:59 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=53gag4gf7jl7pxa7hhflckxb3ejn3izptdg6c2y6ht3nn7tkovpq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
19e5b14651f7ad050e2b9dc95e5bb7574a8fdde378bfbc7101ee7e2276c23d62
GuLoader
2e93c7a4fbfb9407abd40c065b13cd3a4438483f008a06f2c692fc41b2d6dfee
GuLoader
5810b0d44b3328dead0b3bc7fc6c3178193a1bd88c5b21ecaea224f56cc7aef3
GuLoader
8db83c5c1507e0307df594c1f068faef19e6e3377dd8d6ed3c9610b70bf93356
GuLoader
aac13b3f25b043fcc1baaa1481ab241a4845ff0d978fe86a455deaf28cedd352
GuLoader
ca5cc4f7922dfbfe895bf8421366260ca591ae794e04de9fbf1e3ccc2b2530db
GuLoader
dc226bbd9a65576734dbea2bc18c596f6997bfc90715dc0ef21b7d867a9ac4ac
GuLoader
f989f4c705d1b4953d6d9992d8564f71ae96409b696d527e6c09e3e885db687f
GuLoader
+ 2'338 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/220622-ng5awschej/
Behaviour
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
403d7a73276e7679896746290502ea5c4d51fcf27b76afcd2ebec2ace4381da6
MD5 hash:
3cdd94e9a7705970d68b4a62dc7eb600
SHA1 hash:
573d4778a66e819402bf0055cd77ec6b4acced5e
Link:
https://www.unpac.me/results/7a37b857-4c4b-414f-b981-e715c886d4a9/
SH256 hash:
eecc0370c5fa57f7dc1f39cab12ae1d912dda32f98cde16b1e3cf6d6fe6a755f
MD5 hash:
96b2c532c7578f7b3a505148857daa11
SHA1 hash:
baa53b11c99a11e92b56ddef0bfa57972a1f90df
Link:
https://www.unpac.me/results/7a37b857-4c4b-414f-b981-e715c886d4a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eecc0370c5fa57f7dc1f39cab12ae1d912dda32f98cde16b1e3cf6d6fe6a755f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282276/

Comments