MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02873a5d57569be2c4eb7a7b31addacde749430980185cda9c6cbc577ba3f881. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02873a5d57569be2c4eb7a7b31addacde749430980185cda9c6cbc577ba3f881
SHA3-384 hash: c468c60e634b366acec7a3bdfb9189286951f547ff6887a73cafb42bf1b08ba1251e86edc79648183fa008beaff1b6e9
SHA1 hash: a873054c03ccfaffa23f1836e78f7d273d839422
MD5 hash: 2ff74b97e4ca4b63ee814477137781e7
humanhash: nevada-orange-wyoming-robert
File name:SecuriteInfo.com.NSIS.InjectorX-gen.1168
Download: download sample
Signature GuLoader
Create hunting rule
File size:138'416 bytes
First seen:2022-09-19 03:46:31 UTC
Last seen:2022-09-23 05:26:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f91aceea750f765ef2ba5d9988e6a00 (45 x GuLoader, 7 x Loki, 7 x RemcosRAT)
ssdeep 3072:QxnwgiJ4jGkTSbYbhuKd0Cb4cMoYOpBseNqD+YZ4+0O7F4Wn2nOy5I7CO:QxwgiJ4+WE84cMM2eNgT7aDOALO
TLSH T1C8D3018122D4C1E3EDF758702537AF4F9BA6AF522169130BF3C42D876C332821A5F696
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
392
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.NSIS.InjectorX-gen.1168
Verdict:
Malicious activity
Analysis date:
2022-09-19 03:48:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d88d1ae8-6c4d-47f2-874f-268a0825fdc1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311173/
Detection(s):
SecuriteInfo.com.NSIS.InjectorX-gen.1168.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38071/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6327e6b4f4b3258a6c0f15b7/reports/c257b396-4da9-4f11-b39c-18397e83a477/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2fb590a1-fedb-4e46-a2d3-6031b2106534
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072654
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 705196 Sample: SecuriteInfo.com.NSIS.Injec... Startdate: 19/09/2022 Architecture: WINDOWS Score: 100 27 geoplugin.net 2->27 39 Antivirus detection for URL or domain 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected GuLoader 2->43 45 3 other signatures 2->45 8 SecuriteInfo.com.NSIS.InjectorX-gen.1168.exe 4 28 2->8         started        signatures3 process4 file5 25 C:\Users\user\AppData\Local\...\System.dll, PE32 8->25 dropped 47 Detected unpacking (changes PE section rights) 8->47 49 Tries to steal Mail credentials (via file registry) 8->49 51 Tries to detect Any.run 8->51 12 SecuriteInfo.com.NSIS.InjectorX-gen.1168.exe 2 14 8->12         started        signatures6 process7 dnsIp8 29 geoplugin.net 178.237.33.50, 49785, 80 ATOM86-ASATOM86NL Netherlands 12->29 31 205.234.203.69, 2484, 49782, 49783 AS-COLOCROSSINGUS United States 12->31 53 Tries to detect Any.run 12->53 55 Maps a DLL or memory area into another process 12->55 16 SecuriteInfo.com.NSIS.InjectorX-gen.1168.exe 1 12->16         started        19 SecuriteInfo.com.NSIS.InjectorX-gen.1168.exe 1 12->19         started        21 SecuriteInfo.com.NSIS.InjectorX-gen.1168.exe 1 12->21         started        23 27 other processes 12->23 signatures9 process10 signatures11 33 Tries to steal Instant Messenger accounts or passwords 16->33 35 Tries to steal Mail credentials (via file / registry access) 16->35 37 Tries to harvest and steal browser information (history, passwords, etc) 23->37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02873a5d57569be2c4eb7a7b31addacde749430980185cda9c6cbc577ba3f881/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=akdtuxkxk2n6frhlpj5tdlo2zxtusqyjqamfzwu4ns6fo65d7caq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220919-eb7pdsege4/
Behaviour
Enumerates physical storage devices
Drops file in Windows directory
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d24d47e1-8f30-4ffd-9b03-9a20006dd8ab
Unpacked files
SH256 hash:
703e17d30a91775f8ddc2648b537fc846fad6415589a503a4529c36f60a17439
MD5 hash:
637e1fa13012a78922b6e98efc0b12e2
SHA1 hash:
8012d44e42cd6d813ea63d5ccbf190fe72e3c778
Link:
https://www.unpac.me/results/921cf771-2100-4468-9b35-ed1ff7cd6b04/
SH256 hash:
02873a5d57569be2c4eb7a7b31addacde749430980185cda9c6cbc577ba3f881
MD5 hash:
2ff74b97e4ca4b63ee814477137781e7
SHA1 hash:
a873054c03ccfaffa23f1836e78f7d273d839422
Link:
https://www.unpac.me/results/921cf771-2100-4468-9b35-ed1ff7cd6b04/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/02873a5d57569be2c4eb7a7b31addacde749430980185cda9c6cbc577ba3f881

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311173/

Comments