MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 192cc32d2b512627692171a834ddc243f4d2eb6402b301c6ce4f495c08720f98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 192cc32d2b512627692171a834ddc243f4d2eb6402b301c6ce4f495c08720f98
SHA3-384 hash: 754779b2b4aed0b66248f1fa2a3cb0d45f61cc4ac54e5e9ede6d2cc9473949d2c95993ec87f6876d0e7a1fbcc2d76308
SHA1 hash: e14276554b5a2a2cdea158d8111170b780e5234e
MD5 hash: 117c09138f84dce084e42fcb684e9188
humanhash: nuts-wolfram-three-lima
File name:RFQ.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'163'264 bytes
First seen:2023-07-10 09:38:00 UTC
Last seen:2023-07-10 10:09:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 24576:EnsJ39LyjbJkQFMhmC+6GD9XgaNVtTxklSHBbqJ+eQA:EnsHyjtk2MYC5GDZgmFhble7
Threatray 986 similar samples on MalwareBazaar
TLSH T19F35BF32F2D18437D1721A3C8C5BA3A99829BE512E387A4B3BE51E4C5F3D6813D592D3
TrID 88.0% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
5.7% (.EXE) InstallShield setup (43053/19/16)
1.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.EXE) Win64 Executable (generic) (10523/12/4)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
dhash icon feb2baa8b8b4a0c0 (1 x GuLoader)
Reporter adrian__luca
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ.exe
Verdict:
Malicious activity
Analysis date:
2023-07-10 10:42:30 UTC
Tags:
installer
Link:
https://app.any.run/tasks/ad7dfd5e-55eb-43d3-8a8d-b4ed44e20069

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/413475/
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Creating a file in the %temp% directory
Delayed reading of the file
Moving a file to the %temp% directory
Modifying an executable file
DNS request
Sending an HTTP GET request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/96859/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd control darkkomet dropper emotet evasive fingerprint greyware guloader hacktool keylogger lolbin macros macros-on-close macros-on-open macros-on-open optix packed remote shell32 unsafe
Link:
https://www.filescan.io/uploads/64abd1a02333b198b23a0182/reports/50c86779-fe87-4d30-8168-b3ca32870dd3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/192cc32d2b512627692171a834ddc243f4d2eb6402b301c6ce4f495c08720f98
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84cf9c47-01a4-40ed-9666-47eedb4c3afb
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1269589
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1269589 Sample: RFQ.exe Startdate: 10/07/2023 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Antivirus detection for URL or domain 2->58 60 Antivirus detection for dropped file 2->60 62 11 other signatures 2->62 7 RFQ.exe 1 6 2->7         started        10 EXCEL.EXE 23 20 2->10         started        12 Synaptics.exe 2->12         started        process3 file4 26 C:\Users\user\Desktop\._cache_RFQ.exe, PE32 7->26 dropped 28 C:\ProgramData\Synaptics\Synaptics.exe, PE32 7->28 dropped 30 C:\ProgramData\Synaptics\RCX87F.tmp, PE32 7->30 dropped 32 C:\...\Synaptics.exe:Zone.Identifier, ASCII 7->32 dropped 14 Synaptics.exe 30 7->14         started        19 ._cache_RFQ.exe 4 54 7->19         started        process5 dnsIp6 40 freedns.afraid.org 174.128.246.100, 49699, 80 ST-BGPUS United States 14->40 42 docs.google.com 172.217.168.14, 443, 49694, 49695 GOOGLEUS United States 14->42 44 xred.mooo.com 14->44 34 C:\Users\user\Documents\~$cache1, PE32 14->34 dropped 46 Antivirus detection for dropped file 14->46 48 Multi AV Scanner detection for dropped file 14->48 50 Drops PE files to the document folder of the user 14->50 52 Machine Learning detection for dropped file 14->52 21 WerFault.exe 24 9 14->21         started        24 WerFault.exe 14->24         started        36 C:\Users\user\AppData\Local\...\System.dll, PE32 19->36 dropped 54 Tries to detect virtualization through RDTSC time measurements 19->54 file7 signatures8 process9 dnsIp10 38 192.168.2.1 unknown unknown 21->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/192cc32d2b512627692171a834ddc243f4d2eb6402b301c6ce4f495c08720f98/
Threat name:
Win32.Virus.Napwhich
Create hunting rule
Status:
Malicious
First seen:
2023-07-04 08:44:11 UTC
File Type:
PE (Exe)
Extracted files:
91
AV detection:
33 of 38 (86.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dewmgljlketco2jbogudjxocip2nf23eakzqdrwoj5evycdsb6ma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
1cc4fab54263dfa842c80a72b78a9c223894264b9b4f25263d8fdc2f69def8a1
GuLoader
2ba0e2aa5120cd3969463699261f1ffc71763fa001212564375d578e7301523f
GuLoader
4053220e58d30e514ab543a64e3854e7c411bfa084c000172cdfe6d3e8f65875
GuLoader
4339763c2998a0b0a63f0a1e0034decd766d3fc8d3cf35e946a7b12c9e34ab3e
GuLoader
4d6ae0a40fcc30fab170c3e70dd5076253ddf9fa6ec0886d39cffbd9df99ae52
GuLoader
8731774a17b8d40b743f7fd6ff83d45ca5890f8e1371be8a0755186f2fc3cda0
GuLoader
9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d
GuLoader
c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76
GuLoader
e4b6f95557a2356d046da60a1ca4e52d302618108fae774b8128ffc0586366e0
GuLoader
+ 976 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader persistence
Link:
https://tria.ge/reports/230710-ll52waae8t/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks QEMU agent file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
MD5 hash:
6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 hash:
070ea80e2192abc42f358d47b276990b5fa285a9
Link:
https://www.unpac.me/results/040790d4-07f7-4f24-9c3b-7c698eb72835/
SH256 hash:
371a6ddc7befe6a31a702e5a1dddaa9627a71582e46bf5bfb0f6b3dba16639ce
MD5 hash:
6e0cc3c3426dfd992a0ba17c6ff65dbb
SHA1 hash:
1d88c326d63985e33f2e4051226816e4e560495d
Link:
https://www.unpac.me/results/040790d4-07f7-4f24-9c3b-7c698eb72835/
SH256 hash:
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
MD5 hash:
6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 hash:
070ea80e2192abc42f358d47b276990b5fa285a9
Link:
https://www.unpac.me/results/040790d4-07f7-4f24-9c3b-7c698eb72835/
SH256 hash:
371a6ddc7befe6a31a702e5a1dddaa9627a71582e46bf5bfb0f6b3dba16639ce
MD5 hash:
6e0cc3c3426dfd992a0ba17c6ff65dbb
SHA1 hash:
1d88c326d63985e33f2e4051226816e4e560495d
Link:
https://www.unpac.me/results/040790d4-07f7-4f24-9c3b-7c698eb72835/
SH256 hash:
192cc32d2b512627692171a834ddc243f4d2eb6402b301c6ce4f495c08720f98
MD5 hash:
117c09138f84dce084e42fcb684e9188
SHA1 hash:
e14276554b5a2a2cdea158d8111170b780e5234e
Link:
https://www.unpac.me/results/040790d4-07f7-4f24-9c3b-7c698eb72835/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/192cc32d2b51/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 192cc32d2b512627692171a834ddc243f4d2eb6402b301c6ce4f495c08720f98

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/413475/

Comments