MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1bd6adeeb4de478e5697432f1cd289a435e6102702e84f40a0cdf9c638e5184. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	f1bd6adeeb4de478e5697432f1cd289a435e6102702e84f40a0cdf9c638e5184
SHA3-384 hash:	19f62a4ef2fe99694f2f703f6830bf2c0dee57897f66347d53d7c2c841a3d457044d51109338219c8d27561097caaeb3
SHA1 hash:	33e51a2bd5f54c0e4abbe073db6c818acbb63093
MD5 hash:	bf96d95a92ceb01f770363a4e7586ff5
humanhash:	seven-fillet-friend-louisiana
File name:	SecuriteInfo.com.Trojan.Siggen17.32175.3080.22840
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	364'544 bytes
First seen:	2022-04-02 11:30:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:xYa6Z5tDJg6Jflrzd+SMMwhryKFPQCivRWePDG:xY/hLMMwpyKF4RPa
Threatray	14'500 similar samples on MalwareBazaar
TLSH	T134742B92B011419AEDB735F26C2F883025C36EAE91B5D70D56EB772A5BF3352005BF0A
File icon (PE):
dhash icon	712a4a25a593a331 (3 x GuLoader, 1 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Siggen17.32175.3080.22840.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a file

Creating a file in the Windows directory

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/12396/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/624833f8a19c649412beda21/reports/f081c5ca-d00d-4e05-b3cc-c26bb16aedf0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/03318285-6ea5-467e-bfa3-473cde838404

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/969372

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f1bd6adeeb4de478e5697432f1cd289a435e6102702e84f40a0cdf9c638e5184/

Threat name:

Win32.Downloader.Guloader

Status:

Malicious

First seen:

2022-04-02 11:31:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 42 (26.19%)

Threat level:

3/5

Verdict:

malicious

Label(s):

cloudeye

formbook

GuLoader

0b32f79b8abe4a232193f819dccfa47a922353e961d37d1becd35171c2b04a89

GuLoader

36fab6d728571d3da4184d3335a8263dd47f1bfa573ca762360958eb11c4c874

GuLoader

3b71cc76f43648f26823ecf65fc133a9da6f03fb55f6f9ca0627824ee8862c6b

GuLoader

3c010d88a118ba3cc666e05c6f8f82159ac38e5486b5ed60c65d870287b8cff6

GuLoader

67db5982545c91192a7c4fcaa3cbe5324de3e69faa1af275b05926d80eda889d

GuLoader

99ec7c3d98449f130584d01f3dea7e8084df01abae8077ae18900695e2d941cb

GuLoader

a2d7a6453efd6b8c31af2e225ae7f93064d44fe328b5bb2e530d820e5e6ca5f8

GuLoader

ae971526492d43606efd2d0f37ac9b262618a28274887388a7c7f9f095942a81

GuLoader

+ 14'490 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:formbook family:guloader campaign:eo22 downloader rat spyware stealer trojan

Link:

https://tria.ge/reports/220402-nmpgmaeed5/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks QEMU agent file

Loads dropped DLL

Formbook Payload

Formbook

Guloader,Cloudeye

Unpacked files

SH256 hash:

f1bd6adeeb4de478e5697432f1cd289a435e6102702e84f40a0cdf9c638e5184

MD5 hash:

bf96d95a92ceb01f770363a4e7586ff5

SHA1 hash:

33e51a2bd5f54c0e4abbe073db6c818acbb63093

Link:

https://www.unpac.me/results/834291c0-cd51-48c7-a227-f7f04a8cc996/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f1bd6adeeb4de478e5697432f1cd289a435e6102702e84f40a0cdf9c638e5184

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample