MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf
SHA3-384 hash: 29d3953bfacbd19fa45f4a45214c3f5ba6a42deb151936ecb847a6fe99f9d475ff86ab687a401c56a8fcc0c1b20cc35e
SHA1 hash: 3fba37528f6b06d2c89c7d86ce6352df438f1855
MD5 hash: 5262da4295e8a62d58d17991b35bf860
humanhash: paris-zebra-nebraska-vermont
File name:5262da4295e8a62d58d17991b35bf860
Download: download sample
Signature GuLoader
Create hunting rule
File size:126'976 bytes
First seen:2021-10-19 12:38:43 UTC
Last seen:2021-10-19 14:11:10 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:HEzzhi6Qu6TDW2rxtene90Ceqhg0Sh1xOeFPa+HNFiS79oe:HEzlQuExvene9zFhgDbsm7TiVe
Threatray 10'623 similar samples on MalwareBazaar
TLSH T147C349CDB5D1CE26C70930B3C75D8A68C725ECAAD650010F63E2BFD92AB6681D412FB5
Reporter zbetcheckin
Tags:GuLoader msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198487/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.16641.14633.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/616ebc6f9a5a1e91c5c6500d/reports/434c779b-2f2d-4f3f-8225-ffaa3c99897c/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/873104
Signature
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505530 Sample: pcE8HuQEUp Startdate: 19/10/2021 Architecture: WINDOWS Score: 100 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 7 other signatures 2->52 11 msiexec.exe 7 27 2->11         started        14 msiexec.exe 2 2->14         started        process3 file4 32 C:\Windows\Installer\MSI4FB2.tmp, PE32 11->32 dropped 16 MSI4FB2.tmp 11->16         started        process5 signatures6 38 Multi AV Scanner detection for dropped file 16->38 40 Drops executables to the windows directory (C:\Windows) and starts them 16->40 42 Tries to detect Any.run 16->42 44 2 other signatures 16->44 19 MSI4FB2.tmp 6 16->19         started        process7 dnsIp8 34 gsmcommerce.net 94.102.1.96, 443, 49801 NETINTERNETNetinternetBilisimTeknolojileriASTR Turkey 19->34 36 www.gsmcommerce.net 19->36 54 Modifies the context of a thread in another process (thread injection) 19->54 56 Tries to detect Any.run 19->56 58 Maps a DLL or memory area into another process 19->58 60 3 other signatures 19->60 23 explorer.exe 19->23 injected signatures9 process10 process11 25 wlanext.exe 23->25         started        signatures12 62 Tries to detect virtualization through RDTSC time measurements 25->62 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf/
Threat name:
Win32.Downloader.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 07:41:12 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06a96d390ef022721da30abba6d35467fbbd35f09f32e23825a83fc3928292a7
GuLoader
12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a
GuLoader
18e567faf1360f9188e37a7affa92286972f148814aa92f69b68b894e2648e5b
GuLoader
4217bf1cf710804c6b4a7b6a7d03974aaa655e512e3bf854c193feb7b2a8d422
GuLoader
7384a61fc69ce24610f7c4658c2ef8786c4cdc5d6ad6b33d1a9f506d6b6388d3
GuLoader
87f8905d999f293634fddf1bff47a614041bdfaa2f07ef19fe70e5296a7b086e
GuLoader
9fd6d5c3553557a9cb263962d71901a681aaa50f3808436b7dff7c4c97289b5e
GuLoader
ae55ee08f18b57a38a47ed9bc161b7833e35c31b014e8579ae904a2d4d7c63e3
GuLoader
b17b8be05fc8389990be623a727369826383bfc2fb33693943f208faa184ff40
GuLoader
c6106fc0a5a8a0fb4a2245bd159b22ed22ec40840826b51b585f78f97f860be8
GuLoader
+ 10'613 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:xloader campaign:fs3g downloader loader rat suricata
Link:
https://tria.ge/reports/211019-pvn2hagfgp/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates connected drives
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Guloader,Cloudeye
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.indigenousjobsearch.com/fs3g/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:INDICATOR_MSI_EXE2MSI
Create hunting rule
Author:ditekSHen
Description:Detects executables converted to .MSI packages using a free online converter.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Microsoft Software Installer (MSI) msi 058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1680205/
  
URLhaus
https://urlhaus.abuse.ch/url/1680203/
Cape
Cape
https://www.capesandbox.com/analysis/198487/
  
URLhaus
https://urlhaus.abuse.ch/url/1696049/

Comments


Avatar
zbet commented on 2021-10-19 12:38:45 UTC

url : hxxp://fieldomobify.com/nx/t1.msi