MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7be02f5ceebf889ff98f83f55c9de2b825229952abc034529223641d8ff3e31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	f7be02f5ceebf889ff98f83f55c9de2b825229952abc034529223641d8ff3e31
SHA3-384 hash:	ab1f446b3b1fc2a3486ac04ee5dac87d685cc6052e61d8520f8ee995a0b351107baa94f6abfcc551fceb22d60893a451
SHA1 hash:	791a3bd61b86197187c4cf4bda00addadb0ed229
MD5 hash:	8f63989c8be7c64f94460dd231a570dc
humanhash:	vegan-sixteen-romeo-glucose
File name:	Liquidacion por Factorizacion de Creditos.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	374'473 bytes
First seen:	2023-12-04 09:25:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (542 x GuLoader, 116 x RemcosRAT, 80 x EpsilonStealer)
ssdeep	6144:6Q606xNlmkDntOv/52sTYmEO6blgwBAg28nhoNW/OPk5JjllUBHKewaN:UFLtOH5uLbWah98SlUAe
TLSH	T1BB84F22D3210C8E5FD99C3B02B369B0B5ADFA8832141191737B17BB99735793E91E9C8
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8883b69d19c6c3c0 (38 x GuLoader, 6 x RemcosRAT, 6 x VIPKeylogger)
Reporter	abuse_ch
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

306

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/462318/

Detection(s):

SecuriteInfo.com.NSIS.InjectorX-gen.25034.15547.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %temp% subdirectories

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control installer lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/656d9b352efa450749b869b5/reports/60e602e1-230c-4e2e-93d3-313549235f8b/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/f7be02f5ceebf889ff98f83f55c9de2b825229952abc034529223641d8ff3e31

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e0b9b75a-6d4d-4adf-82c1-204c7ac71518

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1353027

Signature

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f7be02f5ceebf889ff98f83f55c9de2b825229952abc034529223641d8ff3e31

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f7be02f5ceebf889ff98f83f55c9de2b825229952abc034529223641d8ff3e31/

Threat name:

Win32.Trojan.InjectorX

Status:

Malicious

First seen:

2023-12-04 05:11:54 UTC

AV detection:

10 of 22 (45.45%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=667af5oo5p4it74y7a7vlso6fobfekmvfk6agrjjei3edwh7hyyq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231204-ld769sac5w/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Unpacked files

SH256 hash:

5bee24fef5c0f643adc7ee02ccb6e80a72a4eb30d9d326023ac03f0ffbc4e624

MD5 hash:

376c1b784a3cca9d10ba4ca5d8cb55d2

SHA1 hash:

ad12f8ebab5b4b58eb7d5368469e82e2442b089f

Link:

https://www.unpac.me/results/674b5dde-767a-4736-a9e7-ad5d0f967831/

SH256 hash:

5586edc1baf42264a8abed6d0e2dcf3bb58865ffcab725ab200501d43960b2be

MD5 hash:

a024d407776046c59b9a6f89186214d2

SHA1 hash:

77ababec663930f209ff00227d795bc817df9a3a

Link:

https://www.unpac.me/results/674b5dde-767a-4736-a9e7-ad5d0f967831/

SH256 hash:

f7be02f5ceebf889ff98f83f55c9de2b825229952abc034529223641d8ff3e31

MD5 hash:

8f63989c8be7c64f94460dd231a570dc

SHA1 hash:

791a3bd61b86197187c4cf4bda00addadb0ed229

Link:

https://www.unpac.me/results/674b5dde-767a-4736-a9e7-ad5d0f967831/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f7be02f5ceebf889ff98f83f55c9de2b825229952abc034529223641d8ff3e31

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

exe f7be02f5ceebf889ff98f83f55c9de2b825229952abc034529223641d8ff3e31

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/462318/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample