MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09454cff8e1b6d8a06a3731f417fc2e86d61cffccf2cab60064e7f7a1672f4b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	09454cff8e1b6d8a06a3731f417fc2e86d61cffccf2cab60064e7f7a1672f4b4
SHA3-384 hash:	a9e61f5721ff9563847125eab4354eb5b23ad4f9b161d2088d8763bfcce2b4b7b3d68c02bbf6a7c8008eb2996da60e31
SHA1 hash:	c579411fefdf3006dc176b193f6dda8b07da0fe6
MD5 hash:	aa62920130adcf9c00c3c8af9b059b23
humanhash:	mississippi-texas-blossom-jersey
File name:	Destination Document pdf.exe
Download:	download sample
Signature	GuLoader Alert Create hunting rule
File size:	635'389 bytes
First seen:	2023-01-31 06:14:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep	12288:b7EWNDJccwIWYh7j7TY3POh48Wfb9g5stErYyqJNBUcNjRtBnMAr8D:MUlyYtj7EojiB5Er/qPBUsNfCD
Threatray	16'801 similar samples on MalwareBazaar
TLSH	T198D4E0813350D753CD7FE6B02C51C8DA656BBC30E9A5A68A27A07E4B5FB50B0CE0ED25
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	ankit_anubhav
Tags:	BoredFluff exe GuLoader

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

205

Origin country :

TH

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

Destination Document pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-01-31 06:14:56 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/68c7ec3a-cf1e-480e-920b-ef3bc1fab7a2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/358547/

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file

Creating a file in the %temp% directory

Delayed reading of the file

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/64194/overview

Behaviour

MalwareBazaar

FileScan.IO No Threat

Verdict:

No Threat

Threat level:

  2/10

Confidence:

80%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63d8b1e72d4f6d560e23cd58/reports/fac8efb1-4da4-4ce3-bb85-c784924f4535/overview

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/300e50a0-0b20-40f8-b2d4-2ed65a3f1f18

Joe Sandbox Remcos, GuLoader

Result

Threat name:

Remcos, GuLoader

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1162176

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect Any.run

Writes to foreign memory regions

Yara detected GuLoader

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/09454cff8e1b6d8a06a3731f417fc2e86d61cffccf2cab60064e7f7a1672f4b4/

ReversingLabs TitaniumCloud Win32.Trojan.Guloader

Threat name:

Win32.Trojan.Guloader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-01-31 06:15:07 UTC

File Type:

PE (Exe)

Extracted files:

14

AV detection:

4 of 26 (15.38%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bfcuz74odnwyubvdompuc76c5bwwdt74z4wkwyagjz7xufts6s2a._file

Threatray unknown

Verdict:

unknown

Similar samples:

045d257fff1a2678715e67b6ce278456bd264514598fd51a3fc8023d58f64c3a

GuLoader

068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd

GuLoader

2ee350a3c3c03283a1458ff5e3e142d91b46a8fecd846ec8df0d1edca7c1e4cf

GuLoader

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1

GuLoader

4ba96ecdcdfa746de28a0ee3ef474842e829917c9486ace35ec4cc2fa1ad956f

GuLoader

a2cbf70ab3ebedd2c768816596fade8e94d1dd0d6025001ac59a71860e45b808

GuLoader

db2fc817af6b9f6d4a4b1ad1a837d9e56b8f8be9ee52266eded777d1f4b5a28b

GuLoader

f4716cf29a2fa3ff5650ff6a4d35a26a5a534658fe7518fdf2c08554158db841

GuLoader

fe9186c1d8ba97ae6f65152b962c365f55739d010e444e03364a26e4e6009bf2

GuLoader

+ 16'791 additional samples on MalwareBazaar

Hatching Triage guloader

Result

Malware family:

guloader

Alert

Create hunting rule

Score:

  10/10

Tags:

family:guloader discovery downloader

Link:

https://tria.ge/reports/230131-gzwyxage5z/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Checks QEMU agent file

Loads dropped DLL

Guloader,Cloudeye

UnpacMe 2

Unpacked files

SH256 hash:

c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

MD5 hash:

9625d5b1754bc4ff29281d415d27a0fd

SHA1 hash:

80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

Link:

https://www.unpac.me/results/97bc7419-d4c5-4c2d-b3b4-4b880ac09934/

SH256 hash:

09454cff8e1b6d8a06a3731f417fc2e86d61cffccf2cab60064e7f7a1672f4b4

MD5 hash:

aa62920130adcf9c00c3c8af9b059b23

SHA1 hash:

c579411fefdf3006dc176b193f6dda8b07da0fe6

Link:

https://www.unpac.me/results/97bc7419-d4c5-4c2d-b3b4-4b880ac09934/

VMRay Remcos

Malware family:

Remcos

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/09454cff8e1b/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Suspicious File

Threat name:

Suspicious File

Score:

0.33

Link:

https://yomi.yoroi.company/submissions/09454cff8e1b6d8a06a3731f417fc2e86d61cffccf2cab60064e7f7a1672f4b4

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/358547/