MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00e9a57fdb09a5e4a8da4ee7fc33e9654851c96fa02b2be3a9616253e1d64bb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00e9a57fdb09a5e4a8da4ee7fc33e9654851c96fa02b2be3a9616253e1d64bb4
SHA3-384 hash: f711cbddcf6b06c8ac092c2cad88c102120354c797ee4e6ee6c86b75daf7598449c31df1847fbb44cb1e8a778fa1cd0c
SHA1 hash: 4d9ea8f109cd40e66d33f760e60b64e24605b300
MD5 hash: 9d697a763745aba267d528c4d7bb3d63
humanhash: nuts-neptune-yankee-delaware
File name:Inquiry 1100735.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:569'824 bytes
First seen:2023-12-04 09:13:45 UTC
Last seen:2023-12-04 11:21:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93dfc16ed07ebeb5b405221f10d12c0e (30 x GuLoader, 4 x RemcosRAT, 1 x AgentTesla)
ssdeep 12288:TS2dfQBQfY/hJX1kVpP+Wb1LYTt5mMYAMxWI9:W2dfWX/VcpPjhLC0AAX9
TLSH T177C40102BB8CD49EDA632B7098B3EA4A17F4FDF556B601077E29352E88373515A39F04
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6ad3dbc9e394c478 (3 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Oprydningsarbejders
Issuer:Oprydningsarbejders
Algorithm:sha256WithRSAEncryption
Valid from:2023-04-25T06:08:44Z
Valid to:2026-04-24T06:08:44Z
Serial number: 45f358f47703111c1538d08ed2d8454f0e7f051c
Thumbprint Algorithm:SHA256
Thumbprint: aa92ef95f8e7c0e90f44ea4beda77f96ee8727ec7b043b98bf86efdb04270242
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
326
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462293/
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1357304.27889.6042.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Searching for the window
Searching for the Windows task manager window
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/656d985d6d4756846dc76e10/reports/ef9d4699-0a83-4f04-b6b1-e2e866ea6ae2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/00e9a57fdb09a5e4a8da4ee7fc33e9654851c96fa02b2be3a9616253e1d64bb4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd1e21b7-2d8d-4d54-9eaa-306f68682d77
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353002
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1353002 Sample: Inquiry_1100735.exe Startdate: 04/12/2023 Architecture: WINDOWS Score: 100 52 www.transelva.com 2->52 54 www.successlisa.com 2->54 56 4 other IPs or domains 2->56 66 Snort IDS alert for network traffic 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 4 other signatures 2->72 12 Inquiry_1100735.exe 38 2->12         started        16 wab.exe 3 1 2->16         started        18 wab.exe 1 2->18         started        signatures3 process4 file5 44 C:\Users\user\AppData\...\bldkogte.Kop, ASCII 12->44 dropped 46 C:\Users\user\AppData\...\Xerophagia.Frk, data 12->46 dropped 48 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 12->48 dropped 50 2 other files (none is malicious) 12->50 dropped 90 Suspicious powershell command line found 12->90 20 powershell.exe 12 12->20         started        signatures6 process7 signatures8 74 Suspicious powershell command line found 20->74 76 Very long command line found 20->76 78 Found suspicious powershell code related to unpacking or dynamic code loading 20->78 23 powershell.exe 15 20->23         started        26 conhost.exe 20->26         started        process9 signatures10 88 Writes to foreign memory regions 23->88 28 wab.exe 6 23->28         started        32 wab.exe 23->32         started        process11 dnsIp12 64 185.255.114.18, 49714, 80 DEDIPATH-LLCUS Germany 28->64 92 Maps a DLL or memory area into another process 28->92 34 sleQOiroGMOrWPMOBPs.exe 28->34 injected signatures13 process14 process15 36 TCPSVCS.EXE 1 13 34->36         started        signatures16 80 Tries to steal Mail credentials (via file / registry access) 36->80 82 Tries to harvest and steal browser information (history, passwords, etc) 36->82 84 Writes to foreign memory regions 36->84 86 3 other signatures 36->86 39 sleQOiroGMOrWPMOBPs.exe 36->39 injected 42 firefox.exe 36->42         started        process17 dnsIp18 58 www.yondbit.com 91.195.240.123, 49722, 49723, 49724 SEDO-ASDE Germany 39->58 60 parkingpage.namecheap.com 91.195.240.19, 49716, 80 SEDO-ASDE Germany 39->60 62 2 other IPs or domains 39->62
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/00e9a57fdb09a5e4a8da4ee7fc33e9654851c96fa02b2be3a9616253e1d64bb4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00e9a57fdb09a5e4a8da4ee7fc33e9654851c96fa02b2be3a9616253e1d64bb4/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-04 09:14:04 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=adu2k763bgs6jkg2j3t7ym7jmvefdslpuavsxy5jmfrfhyowjo2a._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/231204-k7bvgsab79/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Adds policy Run key to start application
Unpacked files
SH256 hash:
e18005b81ab18ca5afcab9b6a47d0f024535b66d1f02dc2c5e2c7f28faa21516
MD5 hash:
d3d76d8a516ceb45b8d354544c7fdec4
SHA1 hash:
0a39185c2292d3124f5139717ca9d00cd5a046b3
Link:
https://www.unpac.me/results/d5f487f3-88ca-4267-a678-a131fcf8eff8/
SH256 hash:
14ebfa0711b48ec748b6e4985db4b99a827996ae44b28122d16f14d0d0f51bb6
MD5 hash:
84bcbefa5fe3d82647a15f135f22fb2a
SHA1 hash:
7c23a0c1a8b185f5af456dafa63a3c1207d8c1dc
Link:
https://www.unpac.me/results/d5f487f3-88ca-4267-a678-a131fcf8eff8/
SH256 hash:
99c7654e291227686ffd9414bf77dc6c62d2b712f10348fd8a0697cd4940ef75
MD5 hash:
78e5813c5712f365d29f17e4f2aba6bb
SHA1 hash:
77fdf437a119d6cb6bd9b47b6073932aa419c928
Link:
https://www.unpac.me/results/d5f487f3-88ca-4267-a678-a131fcf8eff8/
SH256 hash:
cd962e37d655e66c81ba14a184b5959b85b80d0929725119ccd226f5ffb622a2
MD5 hash:
d7e3e8edfd38663f63e5440460ec4c0f
SHA1 hash:
1f347bf304982256102fcaaea32a52fccdc59caf
Link:
https://www.unpac.me/results/d5f487f3-88ca-4267-a678-a131fcf8eff8/
SH256 hash:
00e9a57fdb09a5e4a8da4ee7fc33e9654851c96fa02b2be3a9616253e1d64bb4
MD5 hash:
9d697a763745aba267d528c4d7bb3d63
SHA1 hash:
4d9ea8f109cd40e66d33f760e60b64e24605b300
Link:
https://www.unpac.me/results/d5f487f3-88ca-4267-a678-a131fcf8eff8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/00e9a57fdb09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00e9a57fdb09a5e4a8da4ee7fc33e9654851c96fa02b2be3a9616253e1d64bb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 00e9a57fdb09a5e4a8da4ee7fc33e9654851c96fa02b2be3a9616253e1d64bb4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/462293/

Comments