MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 209521dc08b1186e9ac56e1d4fe3b30e20bd5f818b9391b779affd531258a100. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 209521dc08b1186e9ac56e1d4fe3b30e20bd5f818b9391b779affd531258a100
SHA3-384 hash: 93db3860168b0ebadd77f378ab9814eb16d85fcf4263786d499170e8f3b12b27ef9313e559e987c3acb4b2d61752ba9a
SHA1 hash: fd47a4c2eb8dfa6bee052c991d837b3244758bf9
MD5 hash: aba95d32ceb459d5fc7f82d3f3ad0d37
humanhash: may-eleven-louisiana-moon
File name:Aresphe - RFQ20230620-Bill of Quantity.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:370'872 bytes
First seen:2023-06-20 11:08:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (277 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 6144:x3hqLWglOGTPpahHFPPezSBXeqWoib0z85Nl7l36/jB1nJ39tXsl:x3HglNTPpahFPDoqWoib0Qn7I/jB1J3k
Threatray 399 similar samples on MalwareBazaar
TLSH T1DE7423031725C437FE839E705F7A6B234E76989018B0454717CA2ACEBEB2352EB1B741
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-07-06T23:58:28Z
Valid to:2025-07-05T23:58:28Z
Serial number: 78bd7543c0d9f07a977427dd8fc54aa5d6d72688
Thumbprint Algorithm:SHA256
Thumbprint: d42b88625f93948de01a8011c1bb1c4cd0b5f725f49e9c89b37c22f9a172a2b3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Aresphe - RFQ20230620-Bill of Quantity.exe
Verdict:
Suspicious activity
Analysis date:
2023-06-20 11:10:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d3de0e11-59d5-4cff-b918-592162c43f9c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400963/
Detection(s):
SecuriteInfo.com.Trojan.NSIS.Agent.22893.30192.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91882/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/649188cf4c9361a70986edf1/reports/82368d2c-517d-450b-9232-678f1165bce0/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/209521dc08b1186e9ac56e1d4fe3b30e20bd5f818b9391b779affd531258a100
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3907be47-bd02-4d11-9d8e-0c5d1b94d18a
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1258188
Signature
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/209521dc08b1186e9ac56e1d4fe3b30e20bd5f818b9391b779affd531258a100/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ecksdxaiwemg5gwfnyou7y5tbyql2x4brojzdn3zv76vgesyueaa._file
Verdict:
unknown
Similar samples:
0c7081e0e58dc4c306138f6287a984eee9ac748fb537394a6632688077857a09
GuLoader
169b591d42ac6dac4d0c5b803e6c4edcab60608f0983a8334339857e4a7588ee
GuLoader
69d141096955a35ede46b91e97129df4d8faead0e19c9b0badf180b7b0c8600f
GuLoader
788510bf3fc20aacc76bd0ed1884ff8452f4e79023f2f3ad3072efbd7e74139d
GuLoader
7d803e44c98cd23b971f692182f8d1d508fe82fb0fd6b681e7896c552d88411a
GuLoader
80b056a8c2fee08fd3361a8a271dea407425ca335275d49f81a1c50a06d9ed98
GuLoader
e0bf87c8ef8c048b6245ada3bf252c6de8ee83c8b2bcd293929eb83ea21073ba
GuLoader
fa8b66e3d2ad1c59f8b02eee4c7fe64bd46a611245972c83b81173f08218c5e9
GuLoader
+ 389 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230620-m84yrscg5x/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
Unpacked files
SH256 hash:
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
MD5 hash:
6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 hash:
070ea80e2192abc42f358d47b276990b5fa285a9
Link:
https://www.unpac.me/results/513c82de-e7f2-4bf5-9787-98a9a94d6be9/
SH256 hash:
209521dc08b1186e9ac56e1d4fe3b30e20bd5f818b9391b779affd531258a100
MD5 hash:
aba95d32ceb459d5fc7f82d3f3ad0d37
SHA1 hash:
fd47a4c2eb8dfa6bee052c991d837b3244758bf9
Link:
https://www.unpac.me/results/513c82de-e7f2-4bf5-9787-98a9a94d6be9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/209521dc08b1186e9ac56e1d4fe3b30e20bd5f818b9391b779affd531258a100

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 209521dc08b1186e9ac56e1d4fe3b30e20bd5f818b9391b779affd531258a100

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/400963/

Comments