MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
SHA3-384 hash: 13006b978e7fb131fe82eed066601f0d24a54fa16219f053abeded3679dee4519df3e4a89eb640dc15206d729147e353
SHA1 hash: 852ac154d253e128199c7cf766d74ac8a6e9d146
MD5 hash: 51bfab682069e4e7a2ba7b8379d3927b
humanhash: west-ack-fifteen-undress
File name:0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
Download: download sample
Signature GuLoader
Create hunting rule
File size:292'592 bytes
First seen:2024-10-08 14:09:04 UTC
Last seen:2024-11-07 14:17:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 3072:2wDijpS4DbYccZDMH/VQRTibm2WZadkXXh+gtCyk+CebDbVs9MNoe2jDwwY9ZM+5:2FYVMH/8gm2kBA0bOKq/j0w6MpdyU
Threatray 2'684 similar samples on MalwareBazaar
TLSH T16F540242FFA1C937CDB9473104799F6BAB728E2085426B87B3643F1E3C5319246AE306
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 78787cb4d4d05019 (1 x GuLoader)
Reporter adrian__luca
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:xylografen taxiflyvningerne
Issuer:xylografen taxiflyvningerne
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-20T03:48:51Z
Valid to:2026-12-19T03:48:51Z
Serial number: 0133359a3ad4fc68d1f12d855ef725d383676e2b
Thumbprint Algorithm:SHA256
Thumbprint: a9273eaf8b8c14d37a0844ed7629802ac8c89f03e6874844922b012f12e84381
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
384
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Johnnie-6912799-0
Create hunting rule

SecuriteInfo.com.Trojan.NSIS.Injector.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67053d3da69182ddbe5d085f
Tags:
Powershell Nsis
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32 signed
Link:
https://www.filescan.io/uploads/67053d414d903f1f7eef0b47/reports/82eabfe5-cb9c-4eb7-8ae1-78bfe4005e98/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/048c8f11-5917-44eb-b227-bf6fa500755a
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1529110
Signature
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found malware configuration
Installs a global keyboard hook
Maps a DLL or memory area into another process
Mass process execution to delay analysis
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Remcos
Submitted sample is a known malware sample
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529110 Sample: asXlZG3aW6.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 50 newfarmn.pro 2->50 52 telesavers.co.za 2->52 54 geoplugin.net 2->54 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 7 other signatures 2->68 8 asXlZG3aW6.exe 34 2->8         started        signatures3 process4 file5 42 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->42 dropped 44 C:\Users\user\AppData\Local\...\System.dll, PE32 8->44 dropped 76 Detected unpacking (changes PE section rights) 8->76 78 Submitted sample is a known malware sample 8->78 80 Tries to steal Mail credentials (via file registry) 8->80 82 6 other signatures 8->82 12 asXlZG3aW6.exe 4 19 8->12         started        17 cmd.exe 8->17         started        19 cmd.exe 8->19         started        21 62 other processes 8->21 signatures6 process7 dnsIp8 56 newfarmn.pro 41.216.188.178, 2404, 49736, 49737 AS40676US South Africa 12->56 58 telesavers.co.za 102.65.21.26, 443, 49735 Web-Africa-Networks-ASZA South Africa 12->58 60 geoplugin.net 178.237.33.50, 49740, 80 ATOM86-ASATOM86NL Netherlands 12->60 46 C:\Users\user\AppData\...\Uforsvarlige.scr, PE32 12->46 dropped 48 C:\ProgramData\remcos\logs.dat, data 12->48 dropped 84 Detected Remcos RAT 12->84 86 Creates autostart registry keys with suspicious values (likely registry only malware) 12->86 88 Tries to harvest and steal browser information (history, passwords, etc) 12->88 90 3 other signatures 12->90 23 asXlZG3aW6.exe 12->23         started        26 asXlZG3aW6.exe 12->26         started        28 asXlZG3aW6.exe 12->28         started        30 Conhost.exe 17->30         started        32 Conhost.exe 19->32         started        34 Conhost.exe 21->34         started        36 Conhost.exe 21->36         started        38 Conhost.exe 21->38         started        40 59 other processes 21->40 file9 signatures10 process11 signatures12 70 Tries to steal Instant Messenger accounts or passwords 23->70 72 Tries to steal Mail credentials (via file / registry access) 23->72 74 Tries to harvest and steal browser information (history, passwords, etc) 26->74
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2024-09-21 10:09:12 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b75z3c24yjonfadwh7ueazpv6fe3c7vv3hqz3vm3u3bsjuusk4vq._file
Verdict:
malicious
Label(s):
packer_bxor
Create hunting rule
Similar samples:
12793dc2882c9b44c06752a4fe39161c77de6075cf859db47715b83708926e9a
GuLoader
30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02
GuLoader
7e72aa95cfd1e51971fe7dc266693fa3403c71682ac7f12050dd8b267896b58e
GuLoader
88dab0ee02a70b83cb4c99ffa6e809c2789c9e1d55cdcd92454f73bf9d5effa4
GuLoader
a34322247f7f9705a3002533b485264c3e4173b071a35ef230992fa0b284e53a
GuLoader
a7d2ea641dbc8e50000e6b42c9cca200fa25d5e37ddd1857eb489795ab5564ee
GuLoader
bba7b7e91056db7fb6f628ab6478960b96c1a9d8606d6d5b4d74d5043b2bad79
GuLoader
c38606758c66572a12b14f0fff37d2d708cfb7aded6fffe4516f1691f56690c6
GuLoader
c828cbb41945322c3294bd70c8c6423ae001604c3fa725422d0de59dd7e653b7
GuLoader
error
GuLoader
+ 2'674 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/241008-rgprzstfqd/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/58981c90-d752-46da-aba4-97d16f5e6eb4
Unpacked files
SH256 hash:
c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9
MD5 hash:
b38561661a7164e3bbb04edc3718fe89
SHA1 hash:
f13c873c8db121ba21244b1e9a457204360d543f
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/ef8a220b-0e29-41bc-8d2f-6bb2d83851db/
Parent samples :
99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
SH256 hash:
bf0cf3990c6c23dd91ec21071c31537f36355b6d6900358e1536b9a377427619
MD5 hash:
26fc881f84b7f9081cf6b58ab8f9ec08
SHA1 hash:
c4424b9a716392228d55f7d067592d77e9d1b5d2
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/ef8a220b-0e29-41bc-8d2f-6bb2d83851db/
Parent samples :
99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
SH256 hash:
3fa68217d4b6dc9618291e1f85c35140840669ec333fb5e40fe7894bc001e063
MD5 hash:
375744237c6486623d28316e74ce67e9
SHA1 hash:
89a803fa5aef042e7de7bbe8055f840c07e3c486
Link:
https://www.unpac.me/results/ef8a220b-0e29-41bc-8d2f-6bb2d83851db/
SH256 hash:
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
MD5 hash:
51bfab682069e4e7a2ba7b8379d3927b
SHA1 hash:
852ac154d253e128199c7cf766d74ac8a6e9d146
Link:
https://www.unpac.me/results/ef8a220b-0e29-41bc-8d2f-6bb2d83851db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:NSIS_GuLoader
Create hunting rule
Author:NDA0E
Description:Detects GuLoader using NSIS
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments