MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0046d4926a496ea3554ee394b36f77d7ba5f615718bd73b9139f9622d1e11018. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0046d4926a496ea3554ee394b36f77d7ba5f615718bd73b9139f9622d1e11018
SHA3-384 hash: 85a4fe08c1409ab7fcf9ebd0fabd166befca93e89cb3cb1b64c9d0176a15d74b1c94d970945608be3bf6e1d4d3bcb88b
SHA1 hash: ecf424df93c726d30850371e3ae3dee7085e363e
MD5 hash: 7457fdd20c567bd3c20e7be6ee044726
humanhash: video-bacon-romeo-ack
File name:7457fdd20c567bd3c20e7be6ee044726
Download: download sample
Signature GuLoader
Create hunting rule
File size:350'992 bytes
First seen:2023-05-23 06:33:07 UTC
Last seen:2023-05-24 05:53:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (295 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 6144:+yI0WlsebOmeI1+loEBQqHunF+w8tQYRfeJu3SbHSl9z1iwFD4lSlULWrsDcbKt:p0AIYldBQqHunGtQCGJu3S+l9wwFTlUd
Threatray 925 similar samples on MalwareBazaar
TLSH T1E074134627A4ECB3E2632DB64BAA76329F76DF900A3304D71B543F569C713824E196C3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9088a2f178b05e2c (6 x GuLoader, 1 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-04T00:40:45Z
Valid to:2025-12-03T00:40:45Z
Serial number: 3735cd37c7ab4f92a5bd48228b15b6161c24b3ad
Thumbprint Algorithm:SHA256
Thumbprint: 9992e321390bc5bc3b9464768b16de8fcd2222d69e5d9cd7bcf4c84e74ed6951
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
5
# of downloads :
262
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
7457fdd20c567bd3c20e7be6ee044726
Verdict:
Malicious activity
Analysis date:
2023-05-23 06:35:42 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/927a9ea6-6aba-478b-a3f4-ab42888fc792

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.HEUR.Trojan.Win32.Guloader.gen.7762.805.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/87509/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
buer guloader lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/646c5e5be4dc07f96e747fe7/reports/f035c00d-d0a1-49fa-9aef-20eb78b77d60/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/0046d4926a496ea3554ee394b36f77d7ba5f615718bd73b9139f9622d1e11018
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/06bd8802-d985-41e4-b3e1-ee45266f10f4
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1240556
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 873560 Sample: iuwxw7l3B8.exe Startdate: 23/05/2023 Architecture: WINDOWS Score: 100 36 www.xunanting.xyz 2->36 38 www.verenasbooks.store 2->38 40 19 other IPs or domains 2->40 58 Snort IDS alert for network traffic 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 6 other signatures 2->64 11 iuwxw7l3B8.exe 2 29 2->11         started        signatures3 process4 file5 32 C:\Users\user\...\SoulKeyServicePlugin.dll, PE32+ 11->32 dropped 34 C:\Users\user\AppData\Local\...\System.dll, PE32 11->34 dropped 76 Tries to detect Any.run 11->76 15 iuwxw7l3B8.exe 6 11->15         started        signatures6 process7 dnsIp8 48 192.210.175.102, 49805, 80 AS-COLOCROSSINGUS United States 15->48 50 Modifies the context of a thread in another process (thread injection) 15->50 52 Tries to detect Any.run 15->52 54 Maps a DLL or memory area into another process 15->54 56 2 other signatures 15->56 19 RAVCpl64.exe 15->19 injected signatures9 process10 process11 21 cmd.exe 13 19->21         started        signatures12 66 Tries to steal Mail credentials (via file / registry access) 21->66 68 Tries to harvest and steal browser information (history, passwords, etc) 21->68 70 Writes to foreign memory regions 21->70 72 3 other signatures 21->72 24 explorer.exe 3 1 21->24 injected 28 firefox.exe 21->28         started        process13 dnsIp14 42 cursodocristao.site 50.6.138.39, 49840, 49841, 49842 UNIFIEDLAYER-AS-1US United States 24->42 44 moheganmart.com 208.109.41.246, 49867, 49868, 49869 SUCURI-SECUS United States 24->44 46 12 other IPs or domains 24->46 74 System process connects to network (likely due to code injection or exploit) 24->74 30 WerFault.exe 4 28->30         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0046d4926a496ea3554ee394b36f77d7ba5f615718bd73b9139f9622d1e11018/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=abdnjetkjfxkgvko4oklg33x265f6ykxdc6xhoitt6lcfupbcama._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
01ff3a6ce715226b103f3bf80bdb44737fc8bccd38119a7372d8cdcfd3b034c7
GuLoader
2cb0d3b3c2a398a778d18b089cf68d8f7fd91808da695bee0f0fb556354efe09
GuLoader
478e966f1f7aa4d1479c58f0736b4355cd04d2b10c088700e89eb016da7136c5
GuLoader
68561f9a18130d1f0e2a8ca14b9e9344a7f624bb599a766a5b41e16fd728e192
GuLoader
7b8d50ac67b2f0de5e35909025cc1a8d15f5edd18675878c7aaa31e3fe83a9fd
GuLoader
8f4ac34c7cf2cc81beb02355c6f455fb4e3d6f1960130811079b1ae5ddd303ac
GuLoader
af83e815aabba8ca4829ea710a756a3e948fb14e3b6169838e7bba90f1034226
GuLoader
d4c48b5aefc7225b307e2e8c3f2d158b14fc6b736c83d36dc36a9d7c2e6eec29
GuLoader
d6ed44f8974685e43802fae6ce9a8aed3e2bdcf8c8bb71b9d5922025f07647e6
GuLoader
db19a753c3b30fefe4c2cad16fc3646fa1c4d4d3f662d1fc6e58fc8b61d44e57
GuLoader
facf2fbbac21edd7550d00e6f6916f9ee598f9c3bdc2ca0feb288c139d687672
GuLoader
+ 915 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/230523-hbr6gsea73/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
MD5 hash:
3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 hash:
fe582246792774c2c9dd15639ffa0aca90d6fd0b
Link:
https://www.unpac.me/results/619a3154-a4cb-4dae-8ad0-38d0493c0211/
SH256 hash:
0046d4926a496ea3554ee394b36f77d7ba5f615718bd73b9139f9622d1e11018
MD5 hash:
7457fdd20c567bd3c20e7be6ee044726
SHA1 hash:
ecf424df93c726d30850371e3ae3dee7085e363e
Link:
https://www.unpac.me/results/619a3154-a4cb-4dae-8ad0-38d0493c0211/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0046d4926a49/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.03
Link:
https://yomi.yoroi.company/submissions/0046d4926a496ea3554ee394b36f77d7ba5f615718bd73b9139f9622d1e11018

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 0046d4926a496ea3554ee394b36f77d7ba5f615718bd73b9139f9622d1e11018

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2639333/
  
URLhaus
https://urlhaus.abuse.ch/url/2639413/

Comments


Avatar
zbet commented on 2023-05-23 06:33:08 UTC

url : hxxp://141.94.149.125/R1179_/vbc.exe