MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f16b2f7518ccea4c029f26bb8374e8f5f7be16ca76a68f8e449eba2bf02bf2b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f16b2f7518ccea4c029f26bb8374e8f5f7be16ca76a68f8e449eba2bf02bf2b6
SHA3-384 hash: ed447edf1cdc59a5616c538a75774b42ff42346fdb3a1e62411f51642a1d50646c2f692c8ca212584b32c9b2bb6f39a3
SHA1 hash: c620ab81722fcd626be856478ad5248136e2dc91
MD5 hash: 025eaccfdecb9df000e526122ce84aa2
humanhash: potato-vegan-fillet-steak
File name:025eaccfdecb9df000e526122ce84aa2
Download: download sample
Signature GuLoader
Create hunting rule
File size:139'264 bytes
First seen:2021-10-14 11:26:59 UTC
Last seen:2021-10-14 14:03:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c727a98e677fb7bd25bb06d2a2d956f1 (11 x GuLoader, 1 x Formbook)
ssdeep 1536:9pLx1dS8oTPnsZDIhdjKWuLo70xepTTb4LHVFnEPvemJp05vkPSJ25KPQi4Niefp:Lx1dS8ojssso76wiHVCWcqSb7zv
Threatray 2'026 similar samples on MalwareBazaar
TLSH T1AAD3819122B08FD8E4A79ABF17E1471431327E340956BD4AF68DBE1E4E761E0D69032F
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter zbetcheckin
Tags:32 exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UPDATED SOA.xlsx
Verdict:
Malicious activity
Analysis date:
2021-10-14 10:37:25 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/d27929f7-d000-47da-8ca5-5264decbf959

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197527/
Detection(s):
SecuriteInfo.com.Variant.Razy.964195.61.20850.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6168140a9fb4d8593d64c1be/reports/9a805bad-bcbf-4d52-b342-454b5d1f81d4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5f06799-b524-4352-ba1e-c2a8c5e7014a
Result
Threat name:
GuLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870439
Signature
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f16b2f7518ccea4c029f26bb8374e8f5f7be16ca76a68f8e449eba2bf02bf2b6/
Threat name:
Win32.Trojan.InjectorAGen
Create hunting rule
Status:
Malicious
First seen:
2021-10-14 11:27:07 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0b65815d462586870177898072a1500ec014a390eb466ea0dd716567ada4109a
GuLoader
4df45d5c109f75ab624bef07b6d0ecc5f7c7fd2527efdd2af3b18e0c5d8b32ee
GuLoader
57a3bde46b00d57d8a57fb821f22843f608ecad6e643a3e8b58d1a3902bb3c0d
GuLoader
64939ef2abe9b397b1f99bb4ba00c7e49be75f14013647c8e0605fb5fdb3b14b
GuLoader
68f58a48d09d07cd851a8d03cef1a6000f715257fbfbad215e22013ac7a7e611
GuLoader
7d6174dce4980e71b083ae63d3b165b50b20855edb40ffa10a06a8e46e765cab
GuLoader
963043215c54f2a5b1ae6a53787ed78c838beb576e2744e304665f611c7fcb60
GuLoader
ab2261ddf24d2524a3ffe99044fac988f6178be9bc78d28cd5db289c414c3a4f
GuLoader
c0fb3989dccc0e8aa3c3b0e95a8b6cc3982c41c80930998efc1ac26613b0153e
GuLoader
f8e52fa75724eb08c0ec68db6799740ad36c7178b8f0dd7c8b0ee755ff60c653
GuLoader
+ 2'016 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/211014-nkffyahac2/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
f16b2f7518ccea4c029f26bb8374e8f5f7be16ca76a68f8e449eba2bf02bf2b6
MD5 hash:
025eaccfdecb9df000e526122ce84aa2
SHA1 hash:
c620ab81722fcd626be856478ad5248136e2dc91
Link:
https://www.unpac.me/results/32cae238-666c-48fa-87b4-0ac674647876/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f16b2f7518ccea4c029f26bb8374e8f5f7be16ca76a68f8e449eba2bf02bf2b6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe f16b2f7518ccea4c029f26bb8374e8f5f7be16ca76a68f8e449eba2bf02bf2b6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1677134/
Cape
Cape
https://www.capesandbox.com/analysis/197527/

Comments


Avatar
zbet commented on 2021-10-14 11:26:59 UTC

url : hxxp://107.172.13.131/005005/vbc.exe