MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a3fcc316f4b8b404415a1e22f414431144fe6798374cc860a40eddceae9c31d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a3fcc316f4b8b404415a1e22f414431144fe6798374cc860a40eddceae9c31d
SHA3-384 hash: 59a437f7836326e11a50958c1c7e50ddfdbb31d7fcc3f5fb4ad70afc5d0c77b95cab4bbe6c1a1cb978ceb7388978f60c
SHA1 hash: 489bd8f3ea436f212ad8894041e458737894c830
MD5 hash: 35a8d09f90bf40a9efc1c374411bec49
humanhash: earth-arkansas-lima-oranges
File name:Purchase Order 49545.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:763'069 bytes
First seen:2023-11-03 07:34:06 UTC
Last seen:2023-11-03 09:19:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 671f2a1f8aee14d336bab98fea93d734 (182 x GuLoader, 4 x Formbook, 4 x RemcosRAT)
ssdeep 12288:M0f2JEhxDZQSA9H35XMki6i3850evweXtTYVNPvwfj9HBrRYzzpTq:M0foEhxDZtiFMki6i38hz9T2PoftxGVG
TLSH T1D0F41212B264D863E8590173CCA7D6FC6FB23D5E1DD9024B33A9772E7832752B84E258
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457926/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.420.4476.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6544a2a84ebf05ac3f42cc1a/reports/dcdb5bde-49cf-41ed-aa13-3657470eb717/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/1a3fcc316f4b8b404415a1e22f414431144fe6798374cc860a40eddceae9c31d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e4d5bce1-df4d-4d0b-9cf6-f6db499d22bd
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1336438
Signature
Initial sample is a PE file and has a suspicious name
Mass process execution to delay analysis
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1336438 Sample: Purchase_Order_49545.exe Startdate: 03/11/2023 Architecture: WINDOWS Score: 76 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected GuLoader 2->46 48 Initial sample is a PE file and has a suspicious name 2->48 7 Purchase_Order_49545.exe 1 53 2->7         started        11 svchost.exe 2->11         started        14 SkypeApp.exe 2->14         started        process3 dnsIp4 38 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->38 dropped 40 C:\Users\user\AppData\Local\...\System.dll, PE32 7->40 dropped 50 Mass process execution to delay analysis 7->50 52 Tries to detect virtualization through RDTSC time measurements 7->52 16 powershell.exe 7->16         started        18 powershell.exe 7->18         started        20 powershell.exe 7->20         started        22 77 other processes 7->22 42 127.0.0.1 unknown unknown 11->42 file5 signatures6 process7 process8 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 22->34         started        36 74 other processes 22->36
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1a3fcc316f4b8b404415a1e22f414431144fe6798374cc860a40eddceae9c31d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a3fcc316f4b8b404415a1e22f414431144fe6798374cc860a40eddceae9c31d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-10 00:38:46 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
17 of 38 (44.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=di74ymlpjofuaravuhrc6qkegeke7ztzqn2mzbqkidw5z2xjymoq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231103-jen4nsga24/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Unpacked files
SH256 hash:
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87
MD5 hash:
6c881f00ba860b17821d8813aa34dbc6
SHA1 hash:
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13
Link:
https://www.unpac.me/results/6dff98a7-823a-4164-b731-bb4418616912/
SH256 hash:
c2c1bb44cbf38da50e56e01faf58e3dc96278bc47fb416ae3e3d2d314f1d52c6
MD5 hash:
3545c25d3370cd95b4545da3f111f623
SHA1 hash:
56ef00e4c69160b071d7c138f7723ced46e27d91
Link:
https://www.unpac.me/results/6dff98a7-823a-4164-b731-bb4418616912/
SH256 hash:
832da3cff792135ecb98f44c387bea3a8e2e9bd096b917303ca8b9dc71d60365
MD5 hash:
50a9396a761bf245ed4df1b08782d6f2
SHA1 hash:
e01a99100e91801abe074341b0c77cca6220f0bd
Link:
https://www.unpac.me/results/6dff98a7-823a-4164-b731-bb4418616912/
SH256 hash:
1a3fcc316f4b8b404415a1e22f414431144fe6798374cc860a40eddceae9c31d
MD5 hash:
35a8d09f90bf40a9efc1c374411bec49
SHA1 hash:
489bd8f3ea436f212ad8894041e458737894c830
Link:
https://www.unpac.me/results/6dff98a7-823a-4164-b731-bb4418616912/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a3fcc316f4b8b404415a1e22f414431144fe6798374cc860a40eddceae9c31d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 1a3fcc316f4b8b404415a1e22f414431144fe6798374cc860a40eddceae9c31d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/457926/

Comments