MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1188c2e2766503be31ababf831f71bb23bb0edb0f1b0d00b65d9ba62eced2f25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1188c2e2766503be31ababf831f71bb23bb0edb0f1b0d00b65d9ba62eced2f25
SHA3-384 hash: 93cc1c2c1ee18b5be8bbe93183b1b7ccce743e0f0d24bbcbe30d6c3f826bd8c0e1ff36a68f857c6fd500fb77707ac126
SHA1 hash: c468678453c2ef1a7ae1b89b30fa95e21cee20f7
MD5 hash: 881d9482d1d4f11f95e393272fb7eb29
humanhash: blossom-oranges-four-kansas
File name:PEDIDO-0347.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:499'288 bytes
First seen:2024-05-03 07:49:18 UTC
Last seen:2024-05-03 08:22:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ea4df5d94204fc550be1874e1b77ea7 (245 x GuLoader, 31 x RemcosRAT, 26 x VIPKeylogger)
ssdeep 12288:3gEdTAkCWgdMBGxfwMSIHdvf6FvgcWzXaEMP6HuVBY:zdTdPWwG1wMSIHdvy+ptuVBY
Threatray 735 similar samples on MalwareBazaar
TLSH T140B4F1A9B244D027D96E0879C9B3AAF216157E2CE8423E0773557F4F35B2542283B52F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 7666c8c284acf839 (4 x GuLoader)
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Bijouterier
Issuer:Bijouterier
Algorithm:sha256WithRSAEncryption
Valid from:2024-03-31T07:21:08Z
Valid to:2027-03-31T07:21:08Z
Serial number: 7dd34239beb2c0ad222a8e775bdb6282fc8f3c71
Thumbprint Algorithm:SHA256
Thumbprint: a789ad6abbac825ea635516f900cf066a0f04b4f0aece4c6c846ad1d815012b0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
382
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
1188c2e2766503be31ababf831f71bb23bb0edb0f1b0d00b65d9ba62eced2f25.exe
Verdict:
Malicious activity
Analysis date:
2024-05-03 07:51:38 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/916dca24-b11d-426e-bdc5-1dd9eb1b5471

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.11553.18845.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6634972bd1046c89340baba2/reports/3eaa31c0-1202-4633-809d-3d4c9a815332/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1188c2e2766503be31ababf831f71bb23bb0edb0f1b0d00b65d9ba62eced2f25
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6f2aef84-1793-4467-a861-7be6e8504e65
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1435841
Signature
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1188c2e2766503be31ababf831f71bb23bb0edb0f1b0d00b65d9ba62eced2f25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1188c2e2766503be31ababf831f71bb23bb0edb0f1b0d00b65d9ba62eced2f25/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2024-05-03 07:02:56 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cgemfytwmub34mnlvp4dd5y3wi53b3nq6gynac3f3g5gf3hnf4sq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
39904c5d67aebdeb68b5bc799559dda7fe7bd9db166fd8dc72e7e4c0ce5d6491
GuLoader
3ed0095ee2de05e81ac2c954eb0df312d6b919d871b60ce4265acd266be09d3c
GuLoader
66c25b056feae73374a9cb4db0469c94d0a1d2d91cfe09cad1e890e72d5bfb70
GuLoader
71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0
GuLoader
73e2064d3989b863781bff3c15319c8baa58aa68997eb28417ffc7354d1a77e6
GuLoader
8081e0bda5a4d7cf536969b1a62ec3d550d1f806e189ee4a6eb14524b4eb9c64
GuLoader
84176781043f8f95306328477f7b28fa721f44b1767fe740cbd207233c2a47c6
GuLoader
a731a3484aa2cde6c16d273b0838b664de71e45c498d6412dca328b457873248
GuLoader
e3c50af5dfca67fd9af9530c801ef172bde856241cf6b2c8596421b9a7ae8882
GuLoader
ea38b6131bffa783cde57e659bf5aad8d7af08359e4d4a8be016f7f296bb3499
GuLoader
+ 725 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/240503-jn9fzacc42/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed
MD5 hash:
fc3772787eb239ef4d0399680dcc4343
SHA1 hash:
db2fa99ec967178cd8057a14a428a8439a961a73
Link:
https://www.unpac.me/results/a148907f-f71e-4695-8c03-5ab521649be1/
SH256 hash:
1188c2e2766503be31ababf831f71bb23bb0edb0f1b0d00b65d9ba62eced2f25
MD5 hash:
881d9482d1d4f11f95e393272fb7eb29
SHA1 hash:
c468678453c2ef1a7ae1b89b30fa95e21cee20f7
Link:
https://www.unpac.me/results/a148907f-f71e-4695-8c03-5ab521649be1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1188c2e27665/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1188c2e2766503be31ababf831f71bb23bb0edb0f1b0d00b65d9ba62eced2f25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments