MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 066e912a337870ec99eff5c8eaffe49ff3ffe4d20838b892a76bc99d8496656a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 066e912a337870ec99eff5c8eaffe49ff3ffe4d20838b892a76bc99d8496656a
SHA3-384 hash: dd6f6c64baee058ec41c5da262cd14fcf95a7c4b608abae8e77d91b54ee1cc098c5496c99275a10889ac4ebc95b1fc2d
SHA1 hash: 62ecc2313b5774fc1621cc8fbe830bbb96a975df
MD5 hash: fae2e0a449bed4f6d2b0b0e79ca5df3c
humanhash: alpha-charlie-cardinal-maryland
File name:Driver.Booster.10.6.0.141.msi
Download: download sample
Signature GuLoader
Create hunting rule
File size:34'663'424 bytes
First seen:2023-08-11 10:06:27 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:stMdPByhq/XkArjeb5MeJw1wxumuQuc6OOZB2pR6+97:stMd5T/XAtMeJmcvwH2pRl7
Threatray 33 similar samples on MalwareBazaar
TLSH T1E0773322F98FC632F66D5136A978EB6A117A7EE2073184D7A3D43DDA4D708C15272F02
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter xr1pper
Tags:GuLoader msi signed

Code Signing Certificate

Organisation:PIZKO
Issuer:PIZKO
Algorithm:sha256WithRSAEncryption
Valid from:2023-08-09T19:57:19Z
Valid to:2024-08-09T20:17:19Z
Serial number: 660f87edbb153c8b4ff41d4a8ce455af
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5de85f5972c17bfca6995e7c50dcf0d7b5a02999ff4f1dcee43336ecc5e6bb9b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
EG EG
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm control evasive fingerprint lolbin masquerade msiexec remote shell32
Link:
https://www.filescan.io/uploads/64d608475182f25f1647555e/reports/47bf53cc-6e16-4c23-bb20-74cb10bbf1e0/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/066e912a337870ec99eff5c8eaffe49ff3ffe4d20838b892a76bc99d8496656a
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/066e912a337870ec99eff5c8eaffe49ff3ffe4d20838b892a76bc99d8496656a
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1289932
Signature
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found hidden mapped module (file has been removed from disk)
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
PE file has nameless sections
Potential dropper URLs found in powershell memory
Sample is not signed and drops a device driver
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Obfuscated Powershell
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1289932 Sample: Driver.Booster.10.6.0.141.msi Startdate: 11/08/2023 Architecture: WINDOWS Score: 72 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for URL or domain 2->127 129 Multi AV Scanner detection for dropped file 2->129 131 7 other signatures 2->131 11 msiexec.exe 28 75 2->11         started        15 cmd.exe 1 2->15         started        17 svchost.exe 2->17         started        19 9 other processes 2->19 process3 file4 95 C:\Windows\Installer\MSIC986.tmp, PE32 11->95 dropped 97 C:\Windows\Installer\MSIBF93.tmp, PE32 11->97 dropped 99 C:\Windows\Installer\MSIB698.tmp, PE32 11->99 dropped 101 18 other malicious files 11->101 dropped 151 Drops executables to the windows directory (C:\Windows) and starts them 11->151 21 MSI5025.tmp 1 11->21         started        23 MpCopyAccelerator.exe 11->23         started        26 msiexec.exe 11->26         started        35 2 other processes 11->35 153 Encrypted powershell cmdline option found 15->153 28 powershell.exe 16 15->28         started        31 conhost.exe 15->31         started        155 Changes security center settings (notifications, updates, antivirus, firewall) 17->155 33 MpCmdRun.exe 17->33         started        signatures5 process6 dnsIp7 37 install.exe 2 21->37         started        89 C:\Users\user\...\MpCopyAccelerator.exe, PE32+ 23->89 dropped 91 C:\Users\user\AppData\...\MpClient.dll, PE32+ 23->91 dropped 40 MpCopyAccelerator.exe 23->40         started        113 89.208.103.144, 49708, 80 PSKSET-ASRU Russian Federation 28->113 43 msiexec.exe 28->43         started        45 conhost.exe 33->45         started        file8 process9 file10 87 C:\Users\user\AppData\Local\...\install.tmp, PE32 37->87 dropped 47 install.tmp 31 249 37->47         started        147 Writes to foreign memory regions 40->147 149 Maps a DLL or memory area into another process 40->149 51 cmd.exe 40->51         started        signatures11 process12 file13 103 C:\Users\user\AppData\...\iswin7logo.dll, PE32 47->103 dropped 105 C:\Users\user\AppData\Local\...\botva2.dll, PE32 47->105 dropped 107 C:\Users\user\AppData\Local\Temp\...\b2p.dll, PE32 47->107 dropped 111 114 other files (35 malicious) 47->111 dropped 115 Uses netsh to modify the Windows network and firewall settings 47->115 117 Modifies the windows firewall 47->117 53 DriverBooster.exe 47->53         started        56 HWiNFO.exe 47->56         started        59 DriverBooster.exe 47->59         started        65 8 other processes 47->65 109 C:\Users\user\AppData\Local\Temp\rlyhe, PE32 51->109 dropped 119 Injects code into the Windows Explorer (explorer.exe) 51->119 121 Writes to foreign memory regions 51->121 123 Found hidden mapped module (file has been removed from disk) 51->123 61 conhost.exe 51->61         started        63 explorer.exe 51->63         started        signatures14 process15 file16 141 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 53->141 143 Hides threads from debuggers 53->143 67 AutoUpdate.exe 53->67         started        70 Manta.exe 53->70         started        72 RttHlp.exe 53->72         started        80 3 other processes 53->80 93 C:\Users\user\AppData\...\HWiNFO64A_151.SYS, PE32+ 56->93 dropped 145 Sample is not signed and drops a device driver 56->145 74 conhost.exe 65->74         started        76 conhost.exe 65->76         started        78 conhost.exe 65->78         started        82 5 other processes 65->82 signatures17 process18 signatures19 133 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 67->133 135 Hides threads from debuggers 67->135 84 rma.exe 67->84         started        process20 signatures21 137 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 84->137 139 Hides threads from debuggers 84->139
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azxjckrtpbyozgpp6xeov77et7z77zgsba4lrevhnpez3bewmvva._file
Verdict:
unknown
Similar samples:
3500abcc8f0c8af8f665b03f8bab9c712fe8b4a073ea1f35618e68c7b7075794
GuLoader
51e2f8828f5bea99031076c4c566cb051b1e73d3dd8e1347077adcd1ae6fd6c7
GuLoader
9ecb3553a9b19155cb2022f5620153581a2b370655f66a53caf44cd920330471
GuLoader
a027d527bf8e2d3682ee39f12379d113bc7d28193d36b2c448712e5c8009ff52
GuLoader
e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12
GuLoader
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230811-l5mpmscc35/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/066e912a337870ec99eff5c8eaffe49ff3ffe4d20838b892a76bc99d8496656a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Microsoft Software Installer (MSI) msi 066e912a337870ec99eff5c8eaffe49ff3ffe4d20838b892a76bc99d8496656a

(this sample)

  
Delivery method
Distributed via web download

Comments