MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 079e819a42c6ded2c872ce15d09763f567230fbe5562f20ea27ec61082f85a4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 079e819a42c6ded2c872ce15d09763f567230fbe5562f20ea27ec61082f85a4f
SHA3-384 hash: 5677633c79fec73b0abdcfb078ca7fa11360c450179d2d553f2e81775a7ba94e3ccc83161e012f8b67a4c2637d21a5b9
SHA1 hash: 9fe2a5cfb81b5dd9c770e7c1e30c33e57a28a0dc
MD5 hash: be72f1a2cbbc7b4b72c2dd045c46951d
humanhash: artist-pizza-emma-ink
File name:Halkbank_Ekstre_20230711.pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:323'197 bytes
First seen:2023-07-12 06:24:00 UTC
Last seen:2023-07-12 06:43:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (385 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep 6144:qhgqhwXoAoVHX2B5lb5v5s/u8dfJX9gy9XMFykNldXNzJCwu3Ec:pqvVHX8l1v4fJX9tMokTdXNzcwu0c
Threatray 602 similar samples on MalwareBazaar
TLSH T190649D2A6B3A9922FD7C7032F5C6A5B357384CB5952CB42132D0FE53187767B2A0E18D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ccf4d4dcdedee9b1 (4 x GuLoader)
Reporter abuse_ch
Tags:exe geo GuLoader Halkbank TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20230711.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-12 06:29:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f6803a06-fcbc-49a0-9f01-ac58a53652de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/416325/
Detection(s):
SecuriteInfo.com.Variant.Jaik.154612.4804.12847.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97226/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64ae4708a15fc7eb4fd11315/reports/af58311e-09e8-456d-9aa6-d85dd0c14667/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/079e819a42c6ded2c872ce15d09763f567230fbe5562f20ea27ec61082f85a4f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/22282a32-0e7d-49d8-927b-877ed7feb39e
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1271445
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/079e819a42c6ded2c872ce15d09763f567230fbe5562f20ea27ec61082f85a4f/
Threat name:
Win32.PUA.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-11 13:00:59 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
16 of 24 (66.67%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6pidgscy3pnfsdszyk5bf3d6vtsgd56kvrpedvcp3dbbaxyljhq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0c3bffacf3e541cfdd0b5552e048c57d313252709926031f1d4672717f9beae3
GuLoader
144750d91bdca21697d15f3dd12845497d62715c6c7251b033d039802795cbda
GuLoader
3e742163144a721a8d6733f9653c2acca1638eced30159467a6768aff047f25c
GuLoader
7132f9426f3bbadaedd15c39968640ffc5ad207b3c8f450d642174e2942f09d7
GuLoader
991ab8c38fea82c09c29d8ba23996b3626d0a6d6dad0493e95081cee5eab039e
GuLoader
a9acac2bc60cd65b24257dcd59cba1f79a5d8ebe6b68cffef12968038acd2675
GuLoader
+ 592 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/230712-g5224scb92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
MD5 hash:
0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA1 hash:
10c51496d37cecd0e8a503a5a9bb2329d9b38116
Link:
https://www.unpac.me/results/a426571f-af15-406e-ae8d-ea24ae4ac341/
SH256 hash:
079e819a42c6ded2c872ce15d09763f567230fbe5562f20ea27ec61082f85a4f
MD5 hash:
be72f1a2cbbc7b4b72c2dd045c46951d
SHA1 hash:
9fe2a5cfb81b5dd9c770e7c1e30c33e57a28a0dc
Link:
https://www.unpac.me/results/a426571f-af15-406e-ae8d-ea24ae4ac341/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/079e819a42c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 079e819a42c6ded2c872ce15d09763f567230fbe5562f20ea27ec61082f85a4f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/416325/

Comments