MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0aab4343050be7f37c913fe5809888d026fc0843ef1b35b2ca4a719d9b201450. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0aab4343050be7f37c913fe5809888d026fc0843ef1b35b2ca4a719d9b201450
SHA3-384 hash: 338fc9dfff960443ca5fef5bcf99cd991a9e0d4c80bdbe605865ce0241f5c6acfb3972008e4348cefb045d90ee8dc428
SHA1 hash: f0162cea5e4c1677c3837431b15e79889ea7b204
MD5 hash: 21d9fd5a0644c27d57f9b39cec04d780
humanhash: robin-lemon-twelve-moon
File name:21d9fd5a0644c27d57f9b39cec04d780
Download: download sample
Signature GuLoader
Create hunting rule
File size:310'232 bytes
First seen:2022-04-05 19:00:43 UTC
Last seen:2022-04-05 19:49:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 3072:cfY/TU9fE9PEtuPVClzZxWckN7sFIrb5JqtKdVYnV1TjLaTEhp4aiy0WTpCO:KYa6NN+kCeyvqEv/l3/
Threatray 10'497 similar samples on MalwareBazaar
TLSH T1BE64E0C0F918916EECB7D63514264ABE299BEC3FC290235B36C0B78E1D71193463EB56
File icon (PE):PE icon
dhash icon 69d4f0ce8cc0e061 (2 x GuLoader, 1 x Formbook)
Reporter zbetcheckin
Tags:32 exe GuLoader signed

Code Signing Certificate

Organisation:Grntfoders
Issuer:Grntfoders
Algorithm:sha256WithRSAEncryption
Valid from:2022-04-05T06:45:51Z
Valid to:2023-04-05T06:45:51Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 229d7883cdd883fc38037e0aed8514c7116a74b473463da948525bd147e34df2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://192.210.218.8/65/vbc.exe
Verdict:
No threats detected
Analysis date:
2022-04-05 14:03:33 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/a7013497-5a47-4b9c-9d9a-3d7c49b20322

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261086/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.48812538.26333.25171.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12756/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll wacatac
Link:
https://www.filescan.io/uploads/624c91ef40ce5db9f411c904/reports/5237bbb0-aec9-4706-a7ef-6deac79c86d1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/47892294-1e3e-4621-8c01-82a59e566682
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/971104
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 603590 Sample: K9p17DJWLu.exe Startdate: 05/04/2022 Architecture: WINDOWS Score: 100 55 www.visainline.com 2->55 57 www.olymporian.com 2->57 59 39 other IPs or domains 2->59 83 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->83 85 Multi AV Scanner detection for domain / URL 2->85 87 Found malware configuration 2->87 91 9 other signatures 2->91 11 K9p17DJWLu.exe 23 2->11         started        signatures3 89 Tries to resolve many domain names, but no domain seems valid 57->89 process4 file5 49 C:\Users\user\AppData\Local\...\System.dll, PE32 11->49 dropped 109 Tries to detect Any.run 11->109 111 Hides threads from debuggers 11->111 15 K9p17DJWLu.exe 6 11->15         started        19 conhost.exe 11->19         started        signatures6 process7 dnsIp8 67 megajeettextiles.com 69.60.109.131, 443, 49761, 49862 INFOLINK-MIA-US United States 15->67 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Tries to detect Any.run 15->71 73 Maps a DLL or memory area into another process 15->73 75 3 other signatures 15->75 21 explorer.exe 3 6 15->21 injected signatures9 process10 dnsIp11 61 www.sakugacollectibles.com 74.220.199.6, 49809, 80 UNIFIEDLAYER-AS-1US United States 21->61 63 oakcliffbuildingmaterials.com 185.225.208.56, 49811, 80 UK2NET-ASGB Germany 21->63 65 22 other IPs or domains 21->65 47 C:\Users\user\AppData\Local\...\3fwur0.exe, PE32 21->47 dropped 93 System process connects to network (likely due to code injection or exploit) 21->93 95 Benign windows process drops PE files 21->95 26 control.exe 1 12 21->26         started        29 3fwur0.exe 18 21->29         started        32 3fwur0.exe 18 21->32         started        file12 signatures13 process14 file15 97 Tries to steal Mail credentials (via file / registry access) 26->97 99 Self deletion via cmd delete 26->99 101 Tries to harvest and steal browser information (history, passwords, etc) 26->101 107 4 other signatures 26->107 34 cmd.exe 2 26->34         started        37 cmd.exe 1 26->37         started        39 firefox.exe 26->39         started        51 C:\Users\user\AppData\Local\...\System.dll, PE32 29->51 dropped 103 Tries to detect Any.run 29->103 105 Hides threads from debuggers 29->105 41 3fwur0.exe 6 29->41         started        53 C:\Users\user\AppData\Local\...\System.dll, PE32 32->53 dropped 43 3fwur0.exe 32->43         started        signatures16 process17 signatures18 77 Tries to harvest and steal browser information (history, passwords, etc) 34->77 45 conhost.exe 37->45         started        79 Tries to detect Any.run 41->79 81 Hides threads from debuggers 41->81 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0aab4343050be7f37c913fe5809888d026fc0843ef1b35b2ca4a719d9b201450/
Threat name:
Win32.Trojan.InjectorX
Create hunting rule
Status:
Malicious
First seen:
2022-04-05 17:06:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
226a5cd30d41f0f8a4216a8c981c2ccee0a2f06e00135f891f8b5242a9162da2
GuLoader
253f3e1ffc17c3ef73f007378392b6b18c856f03175e978572bc3f105b3754a2
GuLoader
39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5
GuLoader
3b71cc76f43648f26823ecf65fc133a9da6f03fb55f6f9ca0627824ee8862c6b
GuLoader
67732ae3efbde55f0ea32af1488f1a430943f4402b1f2ce163058f5ec76146de
GuLoader
a319ca95679f9e8a30001a66ec55403a08be8c7398916746baea02c6c6539d02
GuLoader
bd19d09ab53cc302c33c6ed5461aae7df3d0a62e0666f0b21f873c17c6f9f0fd
GuLoader
d3f274d21027d5681449dfb2573c6ac9510c12592f0eb7f5045f9f951b6dd894
GuLoader
ee23fa71bea1f05017e21b38e7592db6334a0fc4e9e44bb48452b40a4ddf0677
GuLoader
f1bd6adeeb4de478e5697432f1cd289a435e6102702e84f40a0cdf9c638e5184
GuLoader
+ 10'487 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:xloader campaign:wesd downloader loader rat
Link:
https://tria.ge/reports/220405-xn7h9sbgb2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
Xloader Payload
Guloader,Cloudeye
Xloader
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/aa82629b-d07f-4795-8ea4-142c667f94ac/
SH256 hash:
0aab4343050be7f37c913fe5809888d026fc0843ef1b35b2ca4a719d9b201450
MD5 hash:
21d9fd5a0644c27d57f9b39cec04d780
SHA1 hash:
f0162cea5e4c1677c3837431b15e79889ea7b204
Link:
https://www.unpac.me/results/aa82629b-d07f-4795-8ea4-142c667f94ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/0aab4343050be7f37c913fe5809888d026fc0843ef1b35b2ca4a719d9b201450

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 0aab4343050be7f37c913fe5809888d026fc0843ef1b35b2ca4a719d9b201450

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2133008/
Cape
Cape
https://www.capesandbox.com/analysis/261086/

Comments


Avatar
zbet commented on 2022-04-05 19:00:47 UTC

url : hxxp://192.210.218.8/65/vbc.exe