MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27f598db14b0b24b388c48d2856045bdd2675e3bb82db4c91046bc04de6ef094. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27f598db14b0b24b388c48d2856045bdd2675e3bb82db4c91046bc04de6ef094
SHA3-384 hash: e81dc86a2fc0ab0a471194e6adf81b240c7b426091e2cfb45ee57eea095023026190685ddf292dfe9a536a5b8bc11dd1
SHA1 hash: f31fee2bf828fb0519f00dcfb9022488024324b7
MD5 hash: 4f4f68ef8d8e4435618b6195b0a236f1
humanhash: social-diet-east-edward
File name:Orden de compra 49545.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:745'505 bytes
First seen:2023-11-03 07:34:10 UTC
Last seen:2023-11-03 09:20:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 671f2a1f8aee14d336bab98fea93d734 (182 x GuLoader, 4 x Formbook, 4 x RemcosRAT)
ssdeep 12288:M0f2JEhxoH9msJG9IfoyyAnHEypIF9C7rw6z5FKweXtTYVNPvwfj9HBrRYzzpTz:M0foEhxjf9IgsEXFYo6zfg9T2PoftxGF
TLSH T1B3F4120236A0D827C41E05778CBBE9FD6FBAAD5E6DD4028B3395732E3877661B94D204
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Orden de compra 49545.rar
Verdict:
Malicious activity
Analysis date:
2023-10-10 07:52:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fc46f1c8-f2cb-4d2a-aa91-39e863a89732

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457927/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.918.23462.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file
Delayed reading of the file
Searching for the window
Creating a file in the %temp% subdirectories
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
89%
Tags:
control guloader installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6544a2a90ca0b01851730494/reports/fc822d86-b6ac-4f87-895c-9be0ef2c6cff/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/27f598db14b0b24b388c48d2856045bdd2675e3bb82db4c91046bc04de6ef094
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8fc3c5cd-ee04-4457-bc25-236a094b5def
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1336454
Signature
Maps a DLL or memory area into another process
Mass process execution to delay analysis
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1336454 Sample: Orden_de_compra_49545.exe Startdate: 03/11/2023 Architecture: WINDOWS Score: 76 39 drive.google.com 2->39 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected GuLoader 2->45 8 Orden_de_compra_49545.exe 1 39 2->8         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\...\System.dll, PE32 8->37 dropped 47 Writes to foreign memory regions 8->47 49 Mass process execution to delay analysis 8->49 51 Maps a DLL or memory area into another process 8->51 12 powershell.exe 8->12         started        14 powershell.exe 8->14         started        16 powershell.exe 8->16         started        18 78 other processes 8->18 signatures6 process7 dnsIp8 21 conhost.exe 12->21         started        23 conhost.exe 14->23         started        25 conhost.exe 16->25         started        41 drive.google.com 192.178.50.46, 443, 49774, 49775 GOOGLEUS United States 18->41 27 conhost.exe 18->27         started        29 conhost.exe 18->29         started        31 conhost.exe 18->31         started        33 74 other processes 18->33 process9
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/27f598db14b0b24b388c48d2856045bdd2675e3bb82db4c91046bc04de6ef094
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27f598db14b0b24b388c48d2856045bdd2675e3bb82db4c91046bc04de6ef094/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-10-10 01:42:31 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e72zrwyuwczewoemjdjikycfxxjgoxr3xaw3jsiqi26ajxto6cka._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231103-jen4nsga25/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Unpacked files
SH256 hash:
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87
MD5 hash:
6c881f00ba860b17821d8813aa34dbc6
SHA1 hash:
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13
Link:
https://www.unpac.me/results/e539b053-d3a4-42be-bd68-c7069c26cc69/
SH256 hash:
c6c5f8bb7ee3662e81896481ed380fad3ad192adadfbaf9ebc2131fd383bb5b1
MD5 hash:
d1dd8b3ac90787056e5c808aa0eecd1d
SHA1 hash:
7b5f074abdd942c0dd56d8034e68d68638a4b710
Link:
https://www.unpac.me/results/e539b053-d3a4-42be-bd68-c7069c26cc69/
SH256 hash:
832da3cff792135ecb98f44c387bea3a8e2e9bd096b917303ca8b9dc71d60365
MD5 hash:
50a9396a761bf245ed4df1b08782d6f2
SHA1 hash:
e01a99100e91801abe074341b0c77cca6220f0bd
Link:
https://www.unpac.me/results/e539b053-d3a4-42be-bd68-c7069c26cc69/
SH256 hash:
27f598db14b0b24b388c48d2856045bdd2675e3bb82db4c91046bc04de6ef094
MD5 hash:
4f4f68ef8d8e4435618b6195b0a236f1
SHA1 hash:
f31fee2bf828fb0519f00dcfb9022488024324b7
Link:
https://www.unpac.me/results/e539b053-d3a4-42be-bd68-c7069c26cc69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27f598db14b0b24b388c48d2856045bdd2675e3bb82db4c91046bc04de6ef094

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 27f598db14b0b24b388c48d2856045bdd2675e3bb82db4c91046bc04de6ef094

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/457927/

Comments