MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ae1583b2be5c21f228a0e925652c9f5013bddf699548ca39b02670576325010. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ae1583b2be5c21f228a0e925652c9f5013bddf699548ca39b02670576325010
SHA3-384 hash: be332e5eb3070fee5852a99320fe6cb0b139384b1c707762bd5bac0f950acacb637a64ac1b332442d1e31c32753816af
SHA1 hash: b37f59b0ec54d6c40645837dbb3a18c954346601
MD5 hash: e0d35d2fe887cbe0b4de87f1be7d7a17
humanhash: minnesota-aspen-whiskey-zulu
File name:6000507958.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:576'877 bytes
First seen:2024-04-29 14:41:00 UTC
Last seen:2024-04-29 15:17:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f0c714c36e6cc016b3a1f4bc86559e4 (199 x GuLoader, 14 x Formbook, 4 x AgentTesla)
ssdeep 12288:8stfWr2z5t/dtpQBEd6XT9Pi8RzDm+EYRfT7d+:8st+r2z5J9Pd6XT9Pi85REYpT7d+
TLSH T14AC4D0622277DC63E39442B44015EABD8E7BFE8A1935DA3716F4EC5BB518F36381A301
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter malwarelabnet
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
323
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
6000507958.7z
Verdict:
Malicious activity
Analysis date:
2024-04-24 12:30:05 UTC
Tags:
formbook xloader stealer spyware
Link:
https://app.any.run/tasks/52eb63e2-4d78-4a8f-a658-4b636f221b94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Creating a file in the Windows subdirectories
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Running batch commands
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/662fb189c5dabc22b20c4dc9/reports/b76c1f48-86fa-414b-99e0-7be31a937bbf/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1ae1583b2be5c21f228a0e925652c9f5013bddf699548ca39b02670576325010
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba64fe21-1ea7-4cd2-b336-c1d843bbc5f8
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1433461
Signature
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1433461 Sample: 6000507958.exe Startdate: 29/04/2024 Architecture: WINDOWS Score: 100 48 www.ejbodyart.com 2->48 50 kraljevikonaci.rs 2->50 52 ejbodyart.com 2->52 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 4 other signatures 2->78 11 6000507958.exe 33 2->11         started        signatures3 process4 file5 42 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->42 dropped 44 C:\Users\user\AppData\Local\...\Incurvity.eft, ASCII 11->44 dropped 86 Suspicious powershell command line found 11->86 15 powershell.exe 20 11->15         started        signatures6 process7 file8 46 C:\Users\user\AppData\Local\...\Brookier.exe, PE32 15->46 dropped 58 Obfuscated command line found 15->58 60 Writes to foreign memory regions 15->60 62 Sample uses process hollowing technique 15->62 64 2 other signatures 15->64 19 Brookier.exe 2 7 15->19         started        23 conhost.exe 15->23         started        25 cmd.exe 1 15->25         started        signatures9 process10 dnsIp11 54 kraljevikonaci.rs 195.252.110.253, 443, 49736 BEOTEL-AShttpwwwbeotelnetRS Serbia 19->54 80 Multi AV Scanner detection for dropped file 19->80 82 Machine Learning detection for dropped file 19->82 84 Maps a DLL or memory area into another process 19->84 27 sXdRQEJVRuWKxOSfjXgDuWarCq.exe 19->27 injected 31 cmd.exe 1 19->31         started        signatures12 process13 dnsIp14 56 ejbodyart.com 112.175.50.218, 49738, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 27->56 88 Found direct / indirect Syscall (likely to bypass EDR) 27->88 33 cmd.exe 13 27->33         started        36 conhost.exe 31->36         started        38 reg.exe 1 1 31->38         started        signatures15 process16 signatures17 66 Tries to steal Mail credentials (via file / registry access) 33->66 68 Tries to harvest and steal browser information (history, passwords, etc) 33->68 70 Maps a DLL or memory area into another process 33->70 40 firefox.exe 33->40         started        process18
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1ae1583b2be5c21f228a0e925652c9f5013bddf699548ca39b02670576325010
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ae1583b2be5c21f228a0e925652c9f5013bddf699548ca39b02670576325010/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2024-04-24 00:57:15 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dlqvqozl4xbb6iukb2jfmuwj6uatxxpwtfkizi43ajtqk5rskaia._file
Verdict:
malicious
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader persistence
Link:
https://tria.ge/reports/240429-r2e4aadd5w/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
10675f13abaee592f14382349aa35d82fb52aab4e27eef61d0c83dec1f6b73da
MD5 hash:
5aa38904acdcc21a2fb8a1d30a72d92f
SHA1 hash:
a9ce7d1456698921791db91347dba0489918d70c
Link:
https://www.unpac.me/results/7951ee8b-fb7f-4d24-bd2c-57dd495dd352/
SH256 hash:
6afc379db09413c59646e9ca45ac098b578f4fee6010b716f1e09836979931df
MD5 hash:
dcff8de7950c55510edf7249fecfe57e
SHA1 hash:
332fefb8d064eb262a53749c3e0cf762af894917
Link:
https://www.unpac.me/results/7951ee8b-fb7f-4d24-bd2c-57dd495dd352/
SH256 hash:
1ae1583b2be5c21f228a0e925652c9f5013bddf699548ca39b02670576325010
MD5 hash:
e0d35d2fe887cbe0b4de87f1be7d7a17
SHA1 hash:
b37f59b0ec54d6c40645837dbb3a18c954346601
Link:
https://www.unpac.me/results/7951ee8b-fb7f-4d24-bd2c-57dd495dd352/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ae1583b2be5c21f228a0e925652c9f5013bddf699548ca39b02670576325010

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments