MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01dcd38c47e4a0560bb9a6ff1fbdc84599c3761d20cf7fec96a16d916e894795. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01dcd38c47e4a0560bb9a6ff1fbdc84599c3761d20cf7fec96a16d916e894795
SHA3-384 hash: 6ad1b685471331aa59edf0f5da098be47d46fd7e9f8d5981ab0f078e36399392e0b0e632a92a8a8217045f513aad6e3b
SHA1 hash: fc0217fb97e0189712f908c234cb8393c72c0b67
MD5 hash: 6666c6c737f90b2005a59b8ffb9c9c27
humanhash: sweet-shade-fourteen-zebra
File name:01dcd38c47e4a0560bb9a6ff1fbdc84599c3761d20cf7fec96a16d916e894795
Download: download sample
Signature GuLoader
Create hunting rule
File size:738'008 bytes
First seen:2025-07-07 14:50:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 12288:W3vQsC5SKvA6YeC5L4Zifej9I7wftMJablIzD3rwU5Zw6IfCX:4WSK/zItfcftOeIzD7jd0CX
TLSH T15BF412A1F255C8EBE86626F45C7FEE102152AA5E9471060F229B7B2A75F3383006F54F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 79e4e4ccccc4ccc0 (16 x AgentTesla, 3 x njrat, 3 x GuLoader)
Reporter adrian__luca
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Innervating
Issuer:Innervating
Algorithm:sha256WithRSAEncryption
Valid from:2024-12-13T03:20:58Z
Valid to:2025-12-13T03:20:58Z
Serial number: 1a4ab40e341f83a6d0f864d2f2fd610b0c4395e4
Thumbprint Algorithm:SHA256
Thumbprint: 4bae1ec89a4ffba73ac48c08aa7a462cbcb092f378f92e2e1a7afc91bb8ec762
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
27
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13083/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686bdf0e900df8e7f8684cd3
Tags:
obfuscate virus shell
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/01dcd38c47e4a0560bb9a6ff1fbdc84599c3761d20cf7fec96a16d916e894795
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f3a872a1-d52e-4c15-8ac0-896819cfba97
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/01dcd38c47e4a0560bb9a6ff1fbdc84599c3761d20cf7fec96a16d916e894795
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/6666c6c737f90b2005a59b8ffb9c9c27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01dcd38c47e4a0560bb9a6ff1fbdc84599c3761d20cf7fec96a16d916e894795/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2025-06-25 00:34:27 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahonhdch4sqfmc5zu37r7poiiwm4g5q5edhx73ewufwzc3uji6kq._file
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud family:guloader adware discovery downloader execution installer persistence spyware stealer
Link:
https://tria.ge/reports/250707-r8bpfaen81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
DarkCloud
Darkcloud family
Guloader family
Guloader,Cloudeye
Verdict:
Malicious
Tags:
loader guloader
YARA:
NSIS_GuLoader_July_2024
Link:
https://app.threat.zone/submission/6bdd6e83-bea8-4c1e-b116-291e480604c4
Unpacked files
SH256 hash:
01dcd38c47e4a0560bb9a6ff1fbdc84599c3761d20cf7fec96a16d916e894795
MD5 hash:
6666c6c737f90b2005a59b8ffb9c9c27
SHA1 hash:
fc0217fb97e0189712f908c234cb8393c72c0b67
Link:
https://www.unpac.me/results/9a6f4b5e-7e65-4ff1-a4cf-63033a29e4ce/
SH256 hash:
10f68bb04dc5ed0d05dcc43684a67fab21503d5c4d17a76d82345b13b791a831
MD5 hash:
b1d3ab0c4d64afb0cb4fe4f62e70eb41
SHA1 hash:
e8f23703b8731af81ae08151633a8b0728be3919
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/9a6f4b5e-7e65-4ff1-a4cf-63033a29e4ce/
Parent samples :
d05840831193582f5b1c4dafd24f629ef97b6d030bf52c2ff857b2488f9988f5
39867dae60a1c3269f86579dd0365d57e3bbabfafe922fc3c7000a23c3da42d8
21852b2ff6ff17e36e045883dbd5c30aabf801db69a5fed6451aaec120ad2391
7c9e88afcdeebca3c1f07c6a2c571d2fd51260c6dba7fdf0d2d10999ba23836d
c99e5d501ac5c8bbe555461e1fbdaab837b6d2da32b272a42050841b0a6f3378
8d4b6402a6c425fd43bcafdcdf6e08033daef3980e25fe7edf457d030736f602
2489ed4ad13317146172de6a5c704cc6897ed228f10107c9ec90a7eb142cf84a
285433538c2f985909c0037d5bef1b84e03cd7375989ba3660ff571746ca3f2c
844956284f698514c92b7dd3e64815fad360c362797f14eb187205e178b405e1
ef0d576fa0f2e37e000eca9fe49ecb32319df44cf80c4ddef16abde9912d820d
edbfb632eac56c20be9188b825f4dba5d0128c66d74a85575f24f4c15aa2d98a
511424733d00ca86c76024260a3ca99f6e32d229ac552b9d3706bd6610a907f6
41a9c0bceb798ebd22e5b6632ecdc6651a0d6bd03928476dbe8620d6f039f4fe
50af4bc4910d57d8ed3985abbb60d51aa87b0a29b007fb36958bd1fbccd9b60b
780cbba379a56a25ef456dbbc7aaabe9891c816183d85fe3691fb4a700bb8a42
00559f1119a3d1ab472448af115bdc845a915ae880db3ebba35bc3341543e3e9
ce6119448d3c3fd43de7204f3250367b46abc5b95c2230491166d8feb20398e7
12793dc2882c9b44c06752a4fe39161c77de6075cf859db47715b83708926e9a
7e72aa95cfd1e51971fe7dc266693fa3403c71682ac7f12050dd8b267896b58e
96f053b92d1825fe7c188503eeacc68894d653944e303aea7414abe9cfce6a9c
3950c6dac850339052a777f7e69f3b3757d7bc1396b0fc78d124f1358682158e
210e2cc9b49c52873cff318bbbb0502856e31c071dd7fe403933528c4847786f
88dab0ee02a70b83cb4c99ffa6e809c2789c9e1d55cdcd92454f73bf9d5effa4
863da396800cfdb42428375c45dce9778798ec4669420f00561b8654aa25ee09
3aed3ef42a227f0f1f29297ceb59e0edab0da065a0b9c7894e113fb16fd55849
7bec152e6ebe8d516418fd4ad7c46211577c8841bce146a3e57d7b8eafa6e036
eff489021938676772403ab4151f39c6c52723b5053f1e3efe57b7bdc96e46a7
c2c1f25688e42a7cf6e8ec33ef1347abd6031f97c996555e0fe3df6e717fcb43
396d28268cee1176f329d930c041236fbb6085f568381ecdc386d3d436ddcba5
d40f43dfe57ebd99e557968a04bcf24f1fd1b8bdd6a4075fed1c738eb1a6d687
249a6e00e51f37da8a605d0a1b1e6a4d74d0a26210a7da06669b2341fd508c1a
40e40c04f4357fec11cb9037a802efbe582a4ac64e215909f2c7770475e5a252
f3ada7301c065037d6603cbef927a3826146f7809c425a3eaba03dcba06fd160
93302a0addf5fabc6e62aad8f4f1a14f75075a3a73970ad65717233a3844ab8e
2f9ceb5c16492fe780bafa6e4902ad28de4ef9588a8278adf36d62b1f563649b
7501179eedf19e9b094ed763b880f4673998ecef6d8b4732985d04ee0ef1ea1e
992f3f674ce6a165ef8aa64d52920eafb0466d40ad2e1081b813f3e55ae1305e
0a0aee862a220ef9b3c5930319ab048750c71d6a8c24397006220c04627006a4
8cfd52086a003a044c83a4c5467084b96fcfb25a042ad34f0f4176fcadcee6f9
e86c8b3bc2b1ad4ab8ff8c84cb8eff8a845a684ae13f838afd9148ebe1fdf3ee
cbd5559355a11f01b086790bef3b629d4b7fa642adc077e13f0829b9c28f2810
1e8562d47b5f32ebf2e36d61906d2c981f166968f496f8b9b2c917c80a5d5ba5
93ed7e400500fb1e4be9421400e42ddab0b5cac500929f28bab9fee0c8afea00
1318b406aebb8aaa85c86870409f2ea28dc40898afc2fc9ec84a9033f54541d9
8349d0c4d9914eeb0d1619a23d5bfe062d00f94e64883483d12b0054d27ac376
9c23bf8227f31da7ef679f4baf41239dd7774df662cf4d78f4b8b3de88981776
8fd2d9faf25aba59789745ef7ff598c4394240738712b25286bb887d1c963c0c
8749c26002857510a8faf45fe42730aaa48bd73cc7f99fd181e776b383729f36
72ffc82b01f8ac87e36ff179df7806f66601c65c60f477b9bbcd2cbbd812dc92
c828cbb41945322c3294bd70c8c6423ae001604c3fa725422d0de59dd7e653b7
d1408bd2517c4e2119fff02159563cab8944db221e1e0b4cc988dbf093f0a6c7
deb27dd84a5d2550f12fa743d1e1993e2f5b98305a35fb55e5bef5d0dfa98c3f
c551230f0d09e43c5a1ae8e1f33f057a6ce56a7d81c32b495900ec0a85c53bee
a30ab0ac4a47342d8bcaf60d8b29444869bde081d06ef00848dee3cd80d80b44
28ed00126e488ec8987bc7d0466a45d6b023c239ca816a3b9b387abb10a3bf3e
a964ece7aad2f454cb18516ab65ffcd35aa90574a7801492d5571969dacd7740
79892ac57af9846e3b718c7388c205438a9d0706a597b67638105d8b5572256d
fa71bbc6871f13271d6fae0f9a16dcb44961e7c9730baa8efb86999f06ea7105
20386f6d4e80e1f8ab6b7b32ada778e092c30096cdffdeeaf9a120274855ace2
fd087e17a8ade4ce303d86d6ebbf5b5fec4e8eae903ffea3787bb5384c1c3841
d80fc0ab17aed47dc4c1b7ec32991af6d0e600f12b1c04f40ee7b9c962fa789d
c77a8fafae3b0db31b7dc09f21dc5ef908ade8a564a5c25006ee172500dc0737
8a0874a8540772c03d595653af7bd80011589d4944705541c4c5a60c11f27b1a
dc0be6bc041c8bfd6a76d19650cd738cd322deff6c2bd8677ebf89e4bf0c5b0b
8dde83a4df8de1f092cf5eccbd7f598c9a7d08db43589a683567bda919f6e221
5dca93e324db82758adb6519abd65e2712bb69c267730bda6d6bf9646544a947
c0c23f16dae769ddb46296c20c1db31aa99cd619caac9746e3aacd7583f6fe7a
bc83afa7e3564443fe60cabef35c5107905f739a08bb8cacdbba54d12473104c
811034767a7927426039c1ec8f3698fa0107b7d7d90716f7a6fe32558d7857e1
4ae9a3bb0ce86b451dbac20d17d39958f2d9ee386d5f1fe63aea27a88355eb7c
c38606758c66572a12b14f0fff37d2d708cfb7aded6fffe4516f1691f56690c6
95ee4ecd2ceea6e825a123d337708e9cdccdbd229943832894079f76b683b8d3
a34322247f7f9705a3002533b485264c3e4173b071a35ef230992fa0b284e53a
e89b7fc9e69c109cebcb95fdcc42880fd35f4252170ec83a80aee860c366fc86
4941ad790a9a53a5c8ea43ef512ee9d56dd7dc797904c7a4fe6dad9d7a36adb1
9f276f8da95a8bfc18d4640880f8815734bb150b1a75f030be587ca863c19a74
f7d5f219270af7750ec88e6bc13add921895d7bca13c58f596cfe86946ffae61
d70420ee594c359a3c438310e98730a185fe7032bbffb3e0f28294218d1297ea
0725b0e4da8887a3285b0af626673e8d406c5badb9a1b8024563540dddd16ed4
b5490460c53d27ef419898a98959bec49deb3ac3c3a8a23d63ce7dabe00af32e
e913edbec8daeafe13813142950ea910369da04745480d394816f2dd40c7e59b
f854bd36800e1023b94344b4e349a6a3b725872f39cadb9e6dc62b739fcf6b23
4d73e80068d609d993214a98021116dad4d2b288fe34aee5c38b0d06454cd4f0
7668813fa91e72ded7f90af046672d15f2037d6694b087dd5ebec7d43fa78ee5
4e67f85b41d0a2b9a3fba1207339671ed0f9cd3a902bbb47b30ada2663f525f1
aad4997c066612869506d530ae0715ea9afcb84289731fe7150e71d463cc0785
54cafdf8da41670e57c16daae615b7109e4c475de30ee61e84e270efe7ada372
76ec93687676ff7c8e91360983e4f80f4af6719620be56de72464e6f25b0b341
4b7d1b8ea4216a534fd58d14e57d896be794d15ac910ff2b3c31a9762fdb6923
335f5cd155653a07ee6eee171f272c7e02bd22065b1dd856c23206a00ab9a4e5
cb003e07b2f6b1286333fedb15c3e15389c8faa917c082fb04ede40a065ee55c
9345ae44b7e5e1a78088458c78eec3b6f511f2ddbdc0f31a694c413835b0eb12
21dc118af9730d6f93bba477a5dcb12589aabbce66bf668048ed3486c1d1a076
e749a67d92bf775f6337e3d0324f8208ac9c35f994f758a965dd0602b81a36e1
e15efe6abb3771d3bc76e8df6a9208035a5f741c5e8ea4381b48a1cf61d23e7d
bde5a7b95d5a6fd6a05e8ff2e53e2d15efcf2394e58e10889e4de7699eee3a8e
7ccbbb770d396d32ffa75df046707624fe6a6a53e4425225ccb76e113ef5d971
01dcd38c47e4a0560bb9a6ff1fbdc84599c3761d20cf7fec96a16d916e894795
SH256 hash:
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0
MD5 hash:
0a6f707fa22c3f3e5d1abb54b0894ad6
SHA1 hash:
610cb2c3623199d0d7461fc775297e23cef88c4e
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/9a6f4b5e-7e65-4ff1-a4cf-63033a29e4ce/
Parent samples :
d05840831193582f5b1c4dafd24f629ef97b6d030bf52c2ff857b2488f9988f5
39867dae60a1c3269f86579dd0365d57e3bbabfafe922fc3c7000a23c3da42d8
21852b2ff6ff17e36e045883dbd5c30aabf801db69a5fed6451aaec120ad2391
c99e5d501ac5c8bbe555461e1fbdaab837b6d2da32b272a42050841b0a6f3378
8d4b6402a6c425fd43bcafdcdf6e08033daef3980e25fe7edf457d030736f602
2489ed4ad13317146172de6a5c704cc6897ed228f10107c9ec90a7eb142cf84a
285433538c2f985909c0037d5bef1b84e03cd7375989ba3660ff571746ca3f2c
844956284f698514c92b7dd3e64815fad360c362797f14eb187205e178b405e1
ef0d576fa0f2e37e000eca9fe49ecb32319df44cf80c4ddef16abde9912d820d
edbfb632eac56c20be9188b825f4dba5d0128c66d74a85575f24f4c15aa2d98a
511424733d00ca86c76024260a3ca99f6e32d229ac552b9d3706bd6610a907f6
41a9c0bceb798ebd22e5b6632ecdc6651a0d6bd03928476dbe8620d6f039f4fe
50af4bc4910d57d8ed3985abbb60d51aa87b0a29b007fb36958bd1fbccd9b60b
00559f1119a3d1ab472448af115bdc845a915ae880db3ebba35bc3341543e3e9
ce6119448d3c3fd43de7204f3250367b46abc5b95c2230491166d8feb20398e7
12793dc2882c9b44c06752a4fe39161c77de6075cf859db47715b83708926e9a
7e72aa95cfd1e51971fe7dc266693fa3403c71682ac7f12050dd8b267896b58e
96f053b92d1825fe7c188503eeacc68894d653944e303aea7414abe9cfce6a9c
3950c6dac850339052a777f7e69f3b3757d7bc1396b0fc78d124f1358682158e
210e2cc9b49c52873cff318bbbb0502856e31c071dd7fe403933528c4847786f
88dab0ee02a70b83cb4c99ffa6e809c2789c9e1d55cdcd92454f73bf9d5effa4
3aed3ef42a227f0f1f29297ceb59e0edab0da065a0b9c7894e113fb16fd55849
7bec152e6ebe8d516418fd4ad7c46211577c8841bce146a3e57d7b8eafa6e036
eff489021938676772403ab4151f39c6c52723b5053f1e3efe57b7bdc96e46a7
c2c1f25688e42a7cf6e8ec33ef1347abd6031f97c996555e0fe3df6e717fcb43
396d28268cee1176f329d930c041236fbb6085f568381ecdc386d3d436ddcba5
d40f43dfe57ebd99e557968a04bcf24f1fd1b8bdd6a4075fed1c738eb1a6d687
249a6e00e51f37da8a605d0a1b1e6a4d74d0a26210a7da06669b2341fd508c1a
40e40c04f4357fec11cb9037a802efbe582a4ac64e215909f2c7770475e5a252
f3ada7301c065037d6603cbef927a3826146f7809c425a3eaba03dcba06fd160
93302a0addf5fabc6e62aad8f4f1a14f75075a3a73970ad65717233a3844ab8e
2f9ceb5c16492fe780bafa6e4902ad28de4ef9588a8278adf36d62b1f563649b
7501179eedf19e9b094ed763b880f4673998ecef6d8b4732985d04ee0ef1ea1e
992f3f674ce6a165ef8aa64d52920eafb0466d40ad2e1081b813f3e55ae1305e
0a0aee862a220ef9b3c5930319ab048750c71d6a8c24397006220c04627006a4
8cfd52086a003a044c83a4c5467084b96fcfb25a042ad34f0f4176fcadcee6f9
e86c8b3bc2b1ad4ab8ff8c84cb8eff8a845a684ae13f838afd9148ebe1fdf3ee
cbd5559355a11f01b086790bef3b629d4b7fa642adc077e13f0829b9c28f2810
1e8562d47b5f32ebf2e36d61906d2c981f166968f496f8b9b2c917c80a5d5ba5
93ed7e400500fb1e4be9421400e42ddab0b5cac500929f28bab9fee0c8afea00
1318b406aebb8aaa85c86870409f2ea28dc40898afc2fc9ec84a9033f54541d9
8349d0c4d9914eeb0d1619a23d5bfe062d00f94e64883483d12b0054d27ac376
9c23bf8227f31da7ef679f4baf41239dd7774df662cf4d78f4b8b3de88981776
8fd2d9faf25aba59789745ef7ff598c4394240738712b25286bb887d1c963c0c
8749c26002857510a8faf45fe42730aaa48bd73cc7f99fd181e776b383729f36
72ffc82b01f8ac87e36ff179df7806f66601c65c60f477b9bbcd2cbbd812dc92
c828cbb41945322c3294bd70c8c6423ae001604c3fa725422d0de59dd7e653b7
d1408bd2517c4e2119fff02159563cab8944db221e1e0b4cc988dbf093f0a6c7
deb27dd84a5d2550f12fa743d1e1993e2f5b98305a35fb55e5bef5d0dfa98c3f
c551230f0d09e43c5a1ae8e1f33f057a6ce56a7d81c32b495900ec0a85c53bee
a30ab0ac4a47342d8bcaf60d8b29444869bde081d06ef00848dee3cd80d80b44
28ed00126e488ec8987bc7d0466a45d6b023c239ca816a3b9b387abb10a3bf3e
a964ece7aad2f454cb18516ab65ffcd35aa90574a7801492d5571969dacd7740
79892ac57af9846e3b718c7388c205438a9d0706a597b67638105d8b5572256d
fa71bbc6871f13271d6fae0f9a16dcb44961e7c9730baa8efb86999f06ea7105
20386f6d4e80e1f8ab6b7b32ada778e092c30096cdffdeeaf9a120274855ace2
fd087e17a8ade4ce303d86d6ebbf5b5fec4e8eae903ffea3787bb5384c1c3841
d80fc0ab17aed47dc4c1b7ec32991af6d0e600f12b1c04f40ee7b9c962fa789d
c77a8fafae3b0db31b7dc09f21dc5ef908ade8a564a5c25006ee172500dc0737
8a0874a8540772c03d595653af7bd80011589d4944705541c4c5a60c11f27b1a
dc0be6bc041c8bfd6a76d19650cd738cd322deff6c2bd8677ebf89e4bf0c5b0b
8dde83a4df8de1f092cf5eccbd7f598c9a7d08db43589a683567bda919f6e221
5dca93e324db82758adb6519abd65e2712bb69c267730bda6d6bf9646544a947
c0c23f16dae769ddb46296c20c1db31aa99cd619caac9746e3aacd7583f6fe7a
bc83afa7e3564443fe60cabef35c5107905f739a08bb8cacdbba54d12473104c
811034767a7927426039c1ec8f3698fa0107b7d7d90716f7a6fe32558d7857e1
4ae9a3bb0ce86b451dbac20d17d39958f2d9ee386d5f1fe63aea27a88355eb7c
c38606758c66572a12b14f0fff37d2d708cfb7aded6fffe4516f1691f56690c6
95ee4ecd2ceea6e825a123d337708e9cdccdbd229943832894079f76b683b8d3
a34322247f7f9705a3002533b485264c3e4173b071a35ef230992fa0b284e53a
4941ad790a9a53a5c8ea43ef512ee9d56dd7dc797904c7a4fe6dad9d7a36adb1
9f276f8da95a8bfc18d4640880f8815734bb150b1a75f030be587ca863c19a74
f7d5f219270af7750ec88e6bc13add921895d7bca13c58f596cfe86946ffae61
d70420ee594c359a3c438310e98730a185fe7032bbffb3e0f28294218d1297ea
0725b0e4da8887a3285b0af626673e8d406c5badb9a1b8024563540dddd16ed4
e913edbec8daeafe13813142950ea910369da04745480d394816f2dd40c7e59b
f854bd36800e1023b94344b4e349a6a3b725872f39cadb9e6dc62b739fcf6b23
4d73e80068d609d993214a98021116dad4d2b288fe34aee5c38b0d06454cd4f0
7668813fa91e72ded7f90af046672d15f2037d6694b087dd5ebec7d43fa78ee5
4e67f85b41d0a2b9a3fba1207339671ed0f9cd3a902bbb47b30ada2663f525f1
aad4997c066612869506d530ae0715ea9afcb84289731fe7150e71d463cc0785
54cafdf8da41670e57c16daae615b7109e4c475de30ee61e84e270efe7ada372
4b7d1b8ea4216a534fd58d14e57d896be794d15ac910ff2b3c31a9762fdb6923
335f5cd155653a07ee6eee171f272c7e02bd22065b1dd856c23206a00ab9a4e5
cb003e07b2f6b1286333fedb15c3e15389c8faa917c082fb04ede40a065ee55c
9345ae44b7e5e1a78088458c78eec3b6f511f2ddbdc0f31a694c413835b0eb12
21dc118af9730d6f93bba477a5dcb12589aabbce66bf668048ed3486c1d1a076
e749a67d92bf775f6337e3d0324f8208ac9c35f994f758a965dd0602b81a36e1
e15efe6abb3771d3bc76e8df6a9208035a5f741c5e8ea4381b48a1cf61d23e7d
bde5a7b95d5a6fd6a05e8ff2e53e2d15efcf2394e58e10889e4de7699eee3a8e
7ccbbb770d396d32ffa75df046707624fe6a6a53e4425225ccb76e113ef5d971
01dcd38c47e4a0560bb9a6ff1fbdc84599c3761d20cf7fec96a16d916e894795
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01dcd38c47e4a0560bb9a6ff1fbdc84599c3761d20cf7fec96a16d916e894795

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/13083/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments