MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764
SHA3-384 hash:	22fa98987bc7693edfa2e658569fc34eacc91f6e01ff2948662b5b9727f584e21e02fbbbf30d5ecbc9c89e4f0e803a56
SHA1 hash:	8294d213c448dbf6fb638db615197f6301e25130
MD5 hash:	94587df3dcf38e3db8b5f7f1d4d06424
humanhash:	quebec-foxtrot-don-oscar
File name:	IMG INV 45123452353202016389 Koordinationer.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	584'616 bytes
First seen:	2024-03-04 16:33:11 UTC
Last seen:	2024-03-06 14:08:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep	12288:bYBG9h+MP71q28B/zGIKNh2YMyYfcJs92Dn9oSf8V:bYBm8MP71q2o/zKCyxJssn9t
Threatray	569 similar samples on MalwareBazaar
TLSH	T1C1C401513A96DC59DC574E3026E9DB2D9F3FBC802E06468736E2BFEACA703F25905046
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	493efaf8f4b4d8f8 (2 x GuLoader)
Reporter	TeamDreier
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Cholecystorrhaphy
Issuer:	Cholecystorrhaphy
Algorithm:	sha256WithRSAEncryption
Valid from:	2024-01-07T00:15:41Z
Valid to:	2027-01-06T00:15:41Z
Serial number:	0cb1ecf36110497316ee4d31935e37c644095a97
Thumbprint Algorithm:	SHA256
Thumbprint:	4c2e2dc7c63f2b86a1c2603a40fa081859f3a598180f3dc0b3d09503f58d6516
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

325

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

IMG INV 45123452353202016389 Koordinationer.gz

Verdict:

Malicious activity

Analysis date:

2024-02-27 19:23:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/91ef52c1-9ab7-4085-b6cf-b26d5b3b65da

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Variant.Jaik.63881.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% directory

Creating a file

Delayed reading of the file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

guloader installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/65e5f8013b77ec6525656448/reports/97b1fa37-60d3-4db6-affc-bc3db114a6df/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/2f2be541-8c9b-44ba-a790-aa13e5da388b

Result

Threat name:

GuLoader, Remcos

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1402844

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Installs a global keyboard hook

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Writes to foreign memory regions

Yara detected GuLoader

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764/

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2024-02-27 09:26:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=djpbijmpcfxtcq5aoe3tz2hh3cn5mrgexcgw3iithzjdoijss5sa._file

Verdict:

unknown

GuLoader

2489ed4ad13317146172de6a5c704cc6897ed228f10107c9ec90a7eb142cf84a

GuLoader

30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02

GuLoader

7c9e88afcdeebca3c1f07c6a2c571d2fd51260c6dba7fdf0d2d10999ba23836d

GuLoader

88dab0ee02a70b83cb4c99ffa6e809c2789c9e1d55cdcd92454f73bf9d5effa4

GuLoader

8d4b6402a6c425fd43bcafdcdf6e08033daef3980e25fe7edf457d030736f602

GuLoader

c38606758c66572a12b14f0fff37d2d708cfb7aded6fffe4516f1691f56690c6

GuLoader

c828cbb41945322c3294bd70c8c6423ae001604c3fa725422d0de59dd7e653b7

GuLoader

c99e5d501ac5c8bbe555461e1fbdaab837b6d2da32b272a42050841b0a6f3378

GuLoader

+ 559 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:guloader family:remcos downloader persistence rat

Link:

https://tria.ge/reports/240304-t23wfseg8x/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Guloader,Cloudeye

Remcos

Unpacked files

SH256 hash:

904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

MD5 hash:

55a26d7800446f1373056064c64c3ce8

SHA1 hash:

80256857e9a0a9c8897923b717f3435295a76002

Detections:

win_qtbot_auto

Link:

https://www.unpac.me/results/63ee02ab-a3bb-4e3f-b6b9-ac4fe817b52c/

Parent samples :

dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f
e689963b4319dd5d5249ac1c629af5951f4e90db8040bf7ee33492e54c2c6487
bba7b7e91056db7fb6f628ab6478960b96c1a9d8606d6d5b4d74d5043b2bad79
30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02
2952bf5efc5b011349d22cbe6e7a813f0ae014d145f23115184a36a1448262d0
4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787
830b4dcec27e5d45a9bb7bc538fc026e4af5c3a18de4a71e80b066afe059ac54
2db92a3fa08dc8e97b4f2651e9ec1d123d2556ce5bc7ec9474672767f6505e26
f2b345fcebcd9ed2e342399cfe9819abee7c3642efb6279ad3b4c940555d4564
101057440710c8766fc47fb315ba9fb471c633079c034d5d213e3011cfe075a9
252c26a5ea749569e41b4ce291ea4ff21d08ca884123c8ff171433a359455033
601bc4c4ff50e846a29e702f894f72b8cea1c7c200b363795ed7905784dde043
337b4c24e057d2585f87ed8ad3711ea4c59a3ae1b0895176d983bbc0c64a1d11
1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764
f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea
31eb29c56f113f47c0e4d29f346f685db8a00b9394efa9643caafa254f0618d7
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
406a9e03ab016d68a3aa919ac67397a83081f3ef478baf752d90545ec0fac6dc
e1e722daed3f9e886b15a541de7d67a023f42b2af431a5b6879ad7d32a1c36bf
170825eaa838a2e43fc76d3ad458982182f7b5471554ffd993525fd928b21d3d
1d8f40654fc90da579349546b0c74fc7334ad8a6fcbf21f87815715e644950d1
2a089fc9b24c5253a913526be0ac2ee62b911a96645cb70885d678c91dcb83c9
76f267de8fd5fa4744fb8294ee9a4765afeba03b36244527feca60a32df155af
f338b027a3117b82aafca870aaecb64264f238055afd3d598c90ef102092022a
3a66e54745e3455f2a8ecf35cc2ae7f3e4c7f960b547a65a55ac8ee4209b37e4
a7d2ea641dbc8e50000e6b42c9cca200fa25d5e37ddd1857eb489795ab5564ee
8e90738e8d2c488ac315737c15f39a977d989200cdb20b42a63a1f7bc8438a1e
f214476db64248c82861c7b27fd55186beaf2e292cbe013d47f17305c3b2e95d
8da8762a0f3794de100bd1800856136928880e8a9d0be42eb758809bca1bd0e3
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
ec06ca55bb1ff5e2c51e7756302a11bfc5341b6baa323788d93d646bd84602da
9a66af305ab345c37b408f496c0ad1251e1346f41586742df225af2c6564d576
9b2665438001f2c82c0737efac921004f3435efb29d1edffede8e45683a164a9

SH256 hash:

1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764

MD5 hash:

94587df3dcf38e3db8b5f7f1d4d06424

SHA1 hash:

8294d213c448dbf6fb638db615197f6301e25130

Link:

https://www.unpac.me/results/63ee02ab-a3bb-4e3f-b6b9-ac4fe817b52c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

GuLoader

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

exe 1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::SetFileSecurityA
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExA SHELL32.dll::SHFileOperationA SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryExA KERNEL32.dll::GetDiskFreeSpaceA KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileA KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileA KERNEL32.dll::MoveFileExA KERNEL32.dll::MoveFileA
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::EmptyClipboard USER32.dll::FindWindowExA USER32.dll::OpenClipboard USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample