MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea
SHA3-384 hash: 1e050e9fcbaf13da12061c0d95f037f66f386a49dc5349f06423f68e6b368982aa84aaeddcaf1b3657f71166006326b8
SHA1 hash: 0d09bb2239f9931f4b43978df66f917491c585ff
MD5 hash: f9d9aeb51076e4bd92d48f9aed428f73
humanhash: snake-sodium-fifteen-fifteen
File name:disputants stiftsfrkens.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:904'704 bytes
First seen:2024-07-10 21:58:06 UTC
Last seen:2024-07-10 22:22:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 671f2a1f8aee14d336bab98fea93d734 (182 x GuLoader, 4 x Formbook, 4 x RemcosRAT)
ssdeep 24576:33WbOu88u2R7ET7SDR3CaHouNH6K8Yx1Lm:33Wyu852GTUYaI6aRY/m
TLSH T15F1522643650C4FBE56808744DBBABA44FBC7FD724C24A872BA5321CAF707C1680BB59
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter NDA0E
Tags:exe GuLoader RemcosRAT signed

Code Signing Certificate

Organisation:Shaftway
Issuer:Shaftway
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-04T05:21:10Z
Valid to:2026-12-03T05:21:10Z
Serial number: 128db973c9e3be6e624ebe6cb52cba2fbb2b424e
Thumbprint Algorithm:SHA256
Thumbprint: e1129be9956fedb4df7990bd96302c606673caec41d14f7053fa5e0b33f47a43
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
NDA0E
Drops RemcosRAT payload via compromised domain: http://zakk.co.za/HkdzhFw244.bin

RemcosRAT C2: newskingdomz.live:22330 (147.124.212.217:22330)

Intelligence

File Origin
# of uploads :
2
# of downloads :
422
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea.exe
Verdict:
Malicious activity
Analysis date:
2024-07-10 22:00:04 UTC
Tags:
rat remcos remote stealer evasion mpress
Link:
https://app.any.run/tasks/946d05f7-8bca-4b15-9df8-26c625defa89

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.13895.24595.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668f042850cbfd4734a89a09win10vpnfull_triage
Tags:
Encryption Execution Network Static
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/668f04277731d034e881d981/reports/479c3762-6fa3-4aeb-ba7f-ef761d626534/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7abb019-6dc8-43c9-9f7c-f972bd4ab55e
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1471119
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: Remcos
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1471119 Sample: disputants stiftsfrkens.exe Startdate: 10/07/2024 Architecture: WINDOWS Score: 100 41 newskingdomz.live 2->41 43 zakk.co.za 2->43 45 geoplugin.net 2->45 53 Found malware configuration 2->53 55 Antivirus detection for URL or domain 2->55 57 Yara detected GuLoader 2->57 59 9 other signatures 2->59 10 disputants stiftsfrkens.exe 22 2->10         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\Styrbart.Udd32, ASCII 10->37 dropped 73 Suspicious powershell command line found 10->73 14 powershell.exe 20 10->14         started        signatures6 process7 file8 39 C:\Users\user\...\disputants stiftsfrkens.exe, PE32 14->39 dropped 75 Writes to foreign memory regions 14->75 77 Found suspicious powershell code related to unpacking or dynamic code loading 14->77 79 Powershell drops PE file 14->79 18 wab.exe 5 14 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 47 newskingdomz.live 147.124.212.217, 22330, 49725, 49726 AC-AS-1US United States 18->47 49 zakk.co.za 102.218.215.35, 49724, 80 CKL1-ASNKE unknown 18->49 51 geoplugin.net 178.237.33.50, 49728, 80 ATOM86-ASATOM86NL Netherlands 18->51 61 Detected Remcos RAT 18->61 63 Tries to harvest and steal browser information (history, passwords, etc) 18->63 65 Maps a DLL or memory area into another process 18->65 24 wab.exe 1 18->24         started        27 wab.exe 1 18->27         started        29 wab.exe 14 18->29         started        31 2 other processes 18->31 signatures12 process13 signatures14 67 Tries to steal Instant Messenger accounts or passwords 24->67 69 Tries to harvest and steal browser information (history, passwords, etc) 24->69 71 Tries to steal Mail credentials (via file / registry access) 27->71 33 conhost.exe 31->33         started        35 reg.exe 1 1 31->35         started        process15
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2024-07-10 06:43:23 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=esje35xf7ednyzylvfq7ngegqfjwxhofidjyypgl5rcn345kj3va._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost execution persistence rat
Link:
https://tria.ge/reports/240710-1v2s5sscpk/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Remcos
Malware Config
C2 Extraction:
newskingdomz.live:22330
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a033c515-c430-4c67-bbb6-2e0c144a5e81
Unpacked files
SH256 hash:
24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea
MD5 hash:
f9d9aeb51076e4bd92d48f9aed428f73
SHA1 hash:
0d09bb2239f9931f4b43978df66f917491c585ff
Link:
https://www.unpac.me/results/88d41eca-299b-4b4e-accb-e7491bc0fc27/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/24924df6e5f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:NSIS_GuLoader
Create hunting rule
Author:NDA0E
Description:Detects GuLoader using NSIS
Rule name:NSIS_GuLoader_July_2024
Create hunting rule
Author:NDA0E
Description:Detects GuLoader packed with NSIS installer
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileA
KERNEL32.dll::MoveFileExA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments