MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 088b805edd9d27cca0984e169221b4db3933b106eacdfe3032744bdc97d32aae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 088b805edd9d27cca0984e169221b4db3933b106eacdfe3032744bdc97d32aae
SHA3-384 hash: 33f3f81d8aec000062d2b4423d7a31d2ff7603adf5b01bab34e04a005180fc594adb9d522e5c3586e59ffce7d7a79612
SHA1 hash: c2f5f7a3c01fcd501e2fc807eca246e47c7f7417
MD5 hash: 2aa0c3e84bc9dc676871327a52d3d6cf
humanhash: winner-romeo-glucose-bakerloo
File name:SecuriteInfo.com.W32.Sonbokli.R.genEldorado.9439.2400
Download: download sample
Signature GuLoader
Create hunting rule
File size:369'712 bytes
First seen:2022-08-15 10:37:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 6144:8Mm4CCVFKVeFo66BKLfD9Dzi86F55YX28Z/bH/gb42GnQFa3Uv89maLoxXK:8MwsF/fx9noUHZzYM2GzkFxa
Threatray 3'886 similar samples on MalwareBazaar
TLSH T15F74128627A2C4B7DF628E311DFBAEE35EE6C10214945F0F6B106B4D7C253915A0FB26
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0f2e49090a4acac (2 x GuLoader)
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Gitring Alterman Skaftvven
Issuer:Gitring Alterman Skaftvven
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-09T03:16:34Z
Valid to:2025-08-08T03:16:34Z
Serial number: 655e744c7a1874db
Thumbprint Algorithm:SHA256
Thumbprint: 85c80f9eb28bf0ea4add0acfa1edb005cf79500d58b29fd78a4312e0c62c632f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.Sonbokli.R.genEldorado.9439.2400
Verdict:
Malicious activity
Analysis date:
2022-08-15 10:39:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/19f29816-996b-4f34-a610-e0328a8962ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298633/
Detection(s):
SecuriteInfo.com.W32.Sonbokli.R.genEldorado.9439.2400.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Searching for the window
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28982/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62fa2288a3420170e4475d98/reports/c3a2f7ad-7873-456e-8ed5-6aaf0905aa78/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e21c1348-ec61-44a2-a34d-c977a54455d5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1051452
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 683958 Sample: SecuriteInfo.com.W32.Sonbok... Startdate: 15/08/2022 Architecture: WINDOWS Score: 48 24 Multi AV Scanner detection for submitted file 2->24 7 SecuriteInfo.com.W32.Sonbokli.R.genEldorado.9439.exe 2 34 2->7         started        process3 file4 18 C:\Users\user\AppData\Roaming\...\wab.exe, PE32+ 7->18 dropped 20 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->20 dropped 22 C:\Users\user\AppData\Local\...\System.dll, PE32 7->22 dropped 10 powershell.exe 9 7->10         started        12 powershell.exe 5 7->12         started        process5 process6 14 conhost.exe 10->14         started        16 conhost.exe 12->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/088b805edd9d27cca0984e169221b4db3933b106eacdfe3032744bdc97d32aae/
Threat name:
Win32.Packed.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-08-15 08:56:21 UTC
File Type:
PE (Exe)
Extracted files:
269
AV detection:
18 of 26 (69.23%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bcfyaxw5tut4zieyjyljeinu3m4thmig5lg74mbsorf5zf6tfkxa._file
Verdict:
unknown
Similar samples:
74c072727e1c18e42d630ac87197a47e923ee47d675b3bfff57f10f1d229d952
GuLoader
788510bf3fc20aacc76bd0ed1884ff8452f4e79023f2f3ad3072efbd7e74139d
GuLoader
7d803e44c98cd23b971f692182f8d1d508fe82fb0fd6b681e7896c552d88411a
GuLoader
80b056a8c2fee08fd3361a8a271dea407425ca335275d49f81a1c50a06d9ed98
GuLoader
8532972f199b85a336710c894ddebea7560f7f19c774b52a0d648275960e4db4
GuLoader
874b31b01660f3185d9395adc891baf865aee503331d6d2ea507c572cfea001e
GuLoader
9e0721f67110174f62cd0c24c752271cfc3c6275457a839475a61843b9ce8164
GuLoader
b70451fce984c68d6edca97c9858baf8509e6d8a49977ec0dc3e73cc3fb5eb86
GuLoader
f65e06c1100da40fbaa4f7bf5ea9f3d750b9ed2ccf548bc2b1eb3e7ed0a7f4c8
GuLoader
+ 3'876 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220815-mpdmgacdf4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe
MD5 hash:
4c77a65bb121bb7f2910c1fa3cb38337
SHA1 hash:
94531e3c6255125c1a85653174737d275bc35838
Link:
https://www.unpac.me/results/8dd79dac-c04b-4ac1-87e0-dbb78449d079/
SH256 hash:
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
MD5 hash:
564bb0373067e1785cba7e4c24aab4bf
SHA1 hash:
7c9416a01d821b10b2eef97b80899d24014d6fc1
Link:
https://www.unpac.me/results/8dd79dac-c04b-4ac1-87e0-dbb78449d079/
SH256 hash:
1ece965ac1a7410c56c47532a43dd7e5b4db0263a8dca53f0554f7ff16003a8c
MD5 hash:
df3e949ba7901c3520698d403c7f1f5c
SHA1 hash:
6cd0bcdcd433cea81f90ecc1bf4e92e9a0d8fde2
Link:
https://www.unpac.me/results/8dd79dac-c04b-4ac1-87e0-dbb78449d079/
SH256 hash:
088b805edd9d27cca0984e169221b4db3933b106eacdfe3032744bdc97d32aae
MD5 hash:
2aa0c3e84bc9dc676871327a52d3d6cf
SHA1 hash:
c2f5f7a3c01fcd501e2fc807eca246e47c7f7417
Link:
https://www.unpac.me/results/8dd79dac-c04b-4ac1-87e0-dbb78449d079/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/088b805edd9d27cca0984e169221b4db3933b106eacdfe3032744bdc97d32aae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298633/

Comments