MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28ae6b089bb3e28d0e927fddc34b774a349589c9a62c8636b63a060bb8d5cdb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	28ae6b089bb3e28d0e927fddc34b774a349589c9a62c8636b63a060bb8d5cdb9
SHA3-384 hash:	e34dbe023b2f29ae951387ed5d811b8d3acd34b5df94951f7faaa8cb0e3c748bcecff4258c356d6aeffe549a39aa61c6
SHA1 hash:	b780440d7b4e201c65a8386e31b13233a168d85a
MD5 hash:	8bdd1398bf46b1e92706ac9584e6c9a7
humanhash:	ohio-minnesota-tennessee-neptune
File name:	Demark order.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	212'904 bytes
First seen:	2022-10-04 11:13:12 UTC
Last seen:	2022-10-08 06:53:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e160ef8e55bb9d162da4e266afd9eef3 (140 x GuLoader, 33 x RemcosRAT, 17 x AgentTesla)
ssdeep	3072:R7y2vi7CHQiXJ3jSiNTIV/eua6WiaUgFW3y1hgInxTzdeJ86oNdV1aOx2iNsygP+:R7y5gB2iOV/eXiJCsOL6bojV1p7aw
Threatray	600 similar samples on MalwareBazaar
TLSH	T11E24AEE6358091E2EA6ABD32C42AC67147336D2B97D11A4F22F47B3B14631235B1F52F
TrID	92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	e1c8a4d8f0fcf830 (2 x GuLoader)
Reporter	abuse_ch
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-07-20T03:45:58Z
Valid to:	2025-07-19T03:45:58Z
Serial number:	14d790f1d4e84517
Thumbprint Algorithm:	SHA256
Thumbprint:	781972daf8f6c3067cb798822b25a47dd70f12ba2bfe14736b9983437e10f583
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

837

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/316463/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.11419.31323.5750.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Searching for the window

Creating a file

Сreating synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/633c157cc9e2f3435432982b/reports/9acdf2a0-8371-4882-bfad-0c67423eb1bc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/17e94215-83e3-43cd-8c51-7cf81abe92e6

Result

Threat name:

GuLoader, Remcos

Detection:

malicious

Classification:

troj.evad.phis.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1083805

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected GuLoader

Yara detected Remcos RAT

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/28ae6b089bb3e28d0e927fddc34b774a349589c9a62c8636b63a060bb8d5cdb9/

Threat name:

Win32.Trojan.InjectorX

Status:

Malicious

First seen:

2022-10-04 04:49:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 41 (31.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fcxgwce3wpri2dusp7o4gs3xji2jlcojuywimnvwhidaxogvzw4q._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

194fe792044279124a5e298a697897e99df0dd83f7c51d6bee295b447810531d

GuLoader

41810fd3481f8d4ccfb45fddc97fef5ccdff10af555a2c1fa239c541d3fd16a3

GuLoader

4d688c6baec0d972c248f7747f18dc385e67a0fb2b1a5deb70f324b16220780d

GuLoader

778463dc4bc09f828ebcadef7aa7d828f5d1240b6adbf4dff33d7938a62e485e

GuLoader

95b9a3dab50db7b096629c3f9265b131627909ddeffdcab6da1093a4f4e83fd3

GuLoader

c30ce79d7b5b0708dc03f1532fa89afd4efd732531cb557dc31fe63acd5bc1ce

GuLoader

+ 590 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader discovery downloader

Link:

https://tria.ge/reports/221004-nbzhfsbacq/

Behaviour

Enumerates physical storage devices

Checks installed software on the system

Loads dropped DLL

Guloader,Cloudeye

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2027c67c-8de8-405f-8c1c-2ad17f193ab2

Unpacked files

SH256 hash:

484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

MD5 hash:

960a5c48e25cf2bca332e74e11d825c9

SHA1 hash:

da35c6816ace5daf4c6c1d57b93b09a82ecdc876

Link:

https://www.unpac.me/results/e1f1595a-46a2-4f5e-b0ab-092003c6b461/

SH256 hash:

28ae6b089bb3e28d0e927fddc34b774a349589c9a62c8636b63a060bb8d5cdb9

MD5 hash:

8bdd1398bf46b1e92706ac9584e6c9a7

SHA1 hash:

b780440d7b4e201c65a8386e31b13233a168d85a

Link:

https://www.unpac.me/results/e1f1595a-46a2-4f5e-b0ab-092003c6b461/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

GuLoader

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/28ae6b089bb3e28d0e927fddc34b774a349589c9a62c8636b63a060bb8d5cdb9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/316463/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample