MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22b6816c45f86b303404b94b09b852a910d4ef335c05244c4acf6450ed86572b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22b6816c45f86b303404b94b09b852a910d4ef335c05244c4acf6450ed86572b
SHA3-384 hash: 6e98ef62dba5262bf4dd9c900d1866975adcace77928cd101b33256301baa9abe904dbdcdae64dd7c9a77a4fd0d9950c
SHA1 hash: 43e0065a86b944771992db8af0cad4ee86631aa4
MD5 hash: f022d5f21c803c1936e2c6f28f0f9240
humanhash: november-mexico-cold-oranges
File name:Factura 1-000816pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:371'234 bytes
First seen:2023-07-10 12:22:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b40f29cd171eb54c01b1dd2683c9c26b (45 x GuLoader, 16 x RemcosRAT, 15 x VIPKeylogger)
ssdeep 6144:/oShfEPZVheNA+ff03j2NVag8mLWUkCs3dD1A2uwxMf6rbmOuGot:QqCnhe2e4j2627kCsERwGfvdt
Threatray 911 similar samples on MalwareBazaar
TLSH T1C78449A239DA356FEC2F4674035FEAB22A795CD07382496E4F40760D0C3694A90EEDD7
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c88604b919c6c6c0 (77 x GuLoader, 10 x Formbook, 8 x AgentTesla)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Factura 1-000816pdf.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-10 12:27:02 UTC
Tags:
installer
Link:
https://app.any.run/tasks/6ce67f8b-8f4d-403e-ac7f-19868d5b40b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/413577/
Detection(s):
SecuriteInfo.com.W32.Trojan.MIVJ-5088.5029.3097.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Delayed reading of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64abf82c2333b198b23a0975/reports/ad4e7c94-1651-49a3-96e9-6e5505a6dace/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/22b6816c45f86b303404b94b09b852a910d4ef335c05244c4acf6450ed86572b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/29e37d65-bd90-4c7b-b731-78a10f4c4647
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1269726
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1269726 Sample: Factura_1-000816pdf.exe Startdate: 10/07/2023 Architecture: WINDOWS Score: 100 36 www.xinyongkacdfg.vip 2->36 38 www.vdb2b.com 2->38 40 28 other IPs or domains 2->40 60 Snort IDS alert for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 5 other signatures 2->66 11 Factura_1-000816pdf.exe 4 26 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\System.dll, PE32 11->32 dropped 34 C:\Users\...\System.IO.Compression.Brotli.dll, PE32+ 11->34 dropped 78 Tries to detect Any.run 11->78 15 Factura_1-000816pdf.exe 6 11->15         started        signatures6 process7 dnsIp8 48 googlehosted.l.googleusercontent.com 142.250.181.225, 443, 49949 GOOGLEUS United States 15->48 50 drive.google.com 172.217.18.110, 443, 49948 GOOGLEUS United States 15->50 52 Modifies the context of a thread in another process (thread injection) 15->52 54 Tries to detect Any.run 15->54 56 Maps a DLL or memory area into another process 15->56 58 2 other signatures 15->58 19 RAVCpl64.exe 15->19 injected signatures9 process10 process11 21 control.exe 13 19->21         started        signatures12 68 Tries to steal Mail credentials (via file / registry access) 21->68 70 Tries to harvest and steal browser information (history, passwords, etc) 21->70 72 Writes to foreign memory regions 21->72 74 3 other signatures 21->74 24 explorer.exe 4 1 21->24 injected 28 firefox.exe 21->28         started        process13 dnsIp14 42 newleaderscoach.com 217.115.117.198, 49963, 49964, 49965 WEBWORLD-AStaWebWorldIrelandIE Ireland 24->42 44 www.portvort.xyz 203.161.55.144, 49971, 49972, 49973 VNPT-AS-VNVNPTCorpVN Malaysia 24->44 46 15 other IPs or domains 24->46 76 System process connects to network (likely due to code injection or exploit) 24->76 30 WerFault.exe 4 28->30         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22b6816c45f86b303404b94b09b852a910d4ef335c05244c4acf6450ed86572b/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-10 07:57:45 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ek3ic3cf7bvtanaexffqtocsveinj3ztlqcsitckz5sfb3mgk4vq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
3bfaaf7436f93dff822a8c0f81f2e805f1c6855da29e1ee3ddd6d18c04744ae8
GuLoader
4d6ae0a40fcc30fab170c3e70dd5076253ddf9fa6ec0886d39cffbd9df99ae52
GuLoader
713295015c5460b487bd9e9fbe4ac0e600791a47911852e5a5feec1bafbb55fe
GuLoader
72cf82cbf24e740b354e9d3b86072b0ad4a741a8489870b42f559d93a364ce82
GuLoader
8731774a17b8d40b743f7fd6ff83d45ca5890f8e1371be8a0755186f2fc3cda0
GuLoader
b028ced984ab94ba551b890e2b55645509a1bfd4f2970b592ada728de261a379
GuLoader
c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76
GuLoader
c36591c7c0ef136b66dcf2955035ffc43ccd7fa6d6ce8c65f747dbe0aff7814e
GuLoader
e4b6f95557a2356d046da60a1ca4e52d302618108fae774b8128ffc0586366e0
GuLoader
+ 901 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/230710-pkhfzaab78/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
b9631423a50c666faf2cc6901c5a8d6eb2fecd306fdd2524256b7e2e37b251c2
MD5 hash:
6ad39193ed20078aa1b23c33a1e48859
SHA1 hash:
95e70e4f47aa1689cc08afbdaef3ec323b5342fa
Link:
https://www.unpac.me/results/ac7f7d07-38d3-4c89-9c6e-696182ecd110/
SH256 hash:
22b6816c45f86b303404b94b09b852a910d4ef335c05244c4acf6450ed86572b
MD5 hash:
f022d5f21c803c1936e2c6f28f0f9240
SHA1 hash:
43e0065a86b944771992db8af0cad4ee86631aa4
Link:
https://www.unpac.me/results/ac7f7d07-38d3-4c89-9c6e-696182ecd110/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/22b6816c45f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/413577/

Comments