MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f06e4c96e86c0f36c82d38de0627c0b81995656c4dcbc136c0fedda868ed8ea0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f06e4c96e86c0f36c82d38de0627c0b81995656c4dcbc136c0fedda868ed8ea0
SHA3-384 hash: f6db47c7f6f50d8562c280265c2b3d63630a086a61bb24c823214daf613760cebe4551bda0ffeeb2bb2a9ae2a726c4bb
SHA1 hash: ee63af5c34a027ba8b8331dd678b15e7a87d26a6
MD5 hash: e0d74762f123eb6603898d1482eb9752
humanhash: wolfram-harry-white-timing
File name:e0d74762f123eb6603898d1482eb9752.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:114'688 bytes
First seen:2021-08-02 12:51:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5565993a5a9f2bfb76f28ab304be6bc1 (7 x GuLoader)
ssdeep 1536:hSGTBAAP0gRQhGuloEWu6Y9yaipBhHaWQmiPYDqulcgRQhWSGTBAAP:hSGTBxChTlHWu6jbfFtDXlKhWSGTBx
TLSH T16BB38C47A22C3B9ED3B78C766FDA396D8DC0FC240A4DDA1FA381CC9A55836166D0C935
dhash icon b3b6d48ccae8cc8b (1 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e0d74762f123eb6603898d1482eb9752.exe
Verdict:
No threats detected
Analysis date:
2021-08-02 12:53:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c56f2197-35ef-428e-bd06-ae9f9022051f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175802/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2e86b06-706c-4798-a1c5-1dafa24928ef
Result
Threat name:
GuLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825507
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Detected unpacking (changes PE section rights)
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457916 Sample: loKmeabs9V.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 8 other signatures 2->39 7 loKmeabs9V.exe 1 2 2->7         started        process3 signatures4 41 Detected unpacking (changes PE section rights) 7->41 43 Tries to steal Mail credentials (via file registry) 7->43 45 Creates autostart registry keys with suspicious values (likely registry only malware) 7->45 47 5 other signatures 7->47 10 loKmeabs9V.exe 2 11 7->10         started        process5 dnsIp6 29 101.99.94.119, 49734, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 10->29 31 wealthyrem.ddns.net 194.5.97.128, 39200, 49735, 49736 DANILENKODE Netherlands 10->31 23 C:\Users\user\AppData\Local\...\yourphone.exe, PE32 10->23 dropped 25 C:\Users\user\AppData\Local\...\yourphone.vbs, ASCII 10->25 dropped 49 Tries to detect Any.run 10->49 51 Hides threads from debuggers 10->51 53 Installs a global keyboard hook 10->53 55 Injects a PE file into a foreign processes 10->55 15 loKmeabs9V.exe 1 10->15         started        18 loKmeabs9V.exe 13 10->18         started        21 loKmeabs9V.exe 1 10->21         started        file7 signatures8 process9 dnsIp10 57 Tries to steal Instant Messenger accounts or passwords 15->57 59 Tries to steal Mail credentials (via file access) 15->59 27 192.168.2.1 unknown unknown 18->27 61 Tries to harvest and steal browser information (history, passwords, etc) 18->61 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f06e4c96e86c0f36c82d38de0627c0b81995656c4dcbc136c0fedda868ed8ea0/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 12:52:04 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210802-rvvjxzajke/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
f06e4c96e86c0f36c82d38de0627c0b81995656c4dcbc136c0fedda868ed8ea0
MD5 hash:
e0d74762f123eb6603898d1482eb9752
SHA1 hash:
ee63af5c34a027ba8b8331dd678b15e7a87d26a6
Link:
https://www.unpac.me/results/50130dc9-054b-447d-a0cc-3289180ab9b6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f06e4c96e86c0f36c82d38de0627c0b81995656c4dcbc136c0fedda868ed8ea0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe f06e4c96e86c0f36c82d38de0627c0b81995656c4dcbc136c0fedda868ed8ea0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1489223/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175802/

Comments