MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29da2190a5e040e36cf79c7948eca244100b64eea9236b7279f97381fdc3e695. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29da2190a5e040e36cf79c7948eca244100b64eea9236b7279f97381fdc3e695
SHA3-384 hash: 933f15d947d2d9db49a52d88512f4b407071e768279151b7c3805c1656b4a4c6ef777ea6bbfc7881e2f2a60edebd5553
SHA1 hash: d97d40727ccd6e986d1dfaa29f2fab0a120d4570
MD5 hash: a514bb17edd4f17598fd3a7ebf844626
humanhash: one-eighteen-alanine-enemy
File name:29da2190a5e040e36cf79c7948eca244100b64eea9236b7279f97381fdc3e695
Download: download sample
Signature GuLoader
Create hunting rule
File size:289'456 bytes
First seen:2023-03-08 12:05:25 UTC
Last seen:2023-03-08 13:32:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eae418c7423834ffc3d79b4300bd6fb (54 x GuLoader, 17 x RemcosRAT, 16 x AgentTesla)
ssdeep 6144:qicFyLNwIpC0p/iGtKC1WHPADZEKyKIRAZ8epLAof9YF:FPiIpC2tKGWHCH6AZppLB8
Threatray 321 similar samples on MalwareBazaar
TLSH T1205413A152B8C4C7F5B2583348322E1B4BF6D9371110676723E4AE8DBE367C3561B6CA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 69dcba23b392dc79 (3 x AveMariaRAT, 1 x NanoCore, 1 x GuLoader)
Reporter adrian__luca
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-22T08:34:00Z
Valid to:2025-05-21T08:34:00Z
Serial number: 75f21a283f8e60966e9efeb07aef51cc9fc7efba
Thumbprint Algorithm:SHA256
Thumbprint: 2a56850cfc6dae20fe041848f271ca71d0dc938e9e1c332fd1ea788a8176d983
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
29da2190a5e040e36cf79c7948eca244100b64eea9236b7279f97381fdc3e695
Verdict:
Malicious activity
Analysis date:
2023-03-08 12:07:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eef7a36d-be11-43bf-8ee7-f994332f1802

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372550/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65643967.12311.17004.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Delayed reading of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64087a2c58ebe55355909573/reports/543b3831-80d8-48a2-ace9-02b8a5efd747/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/29da2190a5e040e36cf79c7948eca244100b64eea9236b7279f97381fdc3e695
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab322797-ad27-4433-b3c1-66fdc7585297
Result
Threat name:
AveMaria, GuLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189389
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to hide user accounts
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Yara detected AveMaria stealer
Yara detected GuLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 12191 Sample: IUTJrFXLRN.exe Startdate: 08/03/2023 Architecture: WINDOWS Score: 100 67 googlehosted.l.googleusercontent.com 2->67 69 drive.google.com 2->69 71 doc-0g-ac-docs.googleusercontent.com 2->71 81 Malicious sample detected (through community Yara rule) 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 4 other signatures 2->87 12 IUTJrFXLRN.exe 34 2->12         started        16 Windows.exe 20 2->16         started        signatures3 process4 file5 61 C:\Users\user\AppData\Local\...\System.dll, PE32 12->61 dropped 99 Drops PE files to the document folder of the user 12->99 101 Adds a directory exclusion to Windows Defender 12->101 103 Tries to detect Any.run 12->103 18 IUTJrFXLRN.exe 6 13 12->18         started        63 C:\Users\user\AppData\Local\...\System.dll, PE32 16->63 dropped 23 Windows.exe 2 9 16->23         started        signatures6 process7 dnsIp8 73 drive.google.com 142.250.184.206, 443, 49812 GOOGLEUS United States 18->73 75 googlehosted.l.googleusercontent.com 142.250.186.129, 443, 49813, 49826 GOOGLEUS United States 18->75 53 C:\Users\user\Documents\Windows.exe, PE32 18->53 dropped 55 C:\Users\user\AppData\...\Overcoolly.exe, PE32 18->55 dropped 57 C:\Users\user\...\Windows.exe:Zone.Identifier, ASCII 18->57 dropped 89 Adds a directory exclusion to Windows Defender 18->89 91 Tries to detect Any.run 18->91 93 Increases the number of concurrent connection per server for Internet Explorer 18->93 95 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->95 25 Windows.exe 20 18->25         started        29 powershell.exe 23 18->29         started        77 142.250.186.174, 443, 49825 GOOGLEUS United States 23->77 31 cmd.exe 23->31         started        file9 signatures10 process11 file12 59 C:\Users\user\AppData\Local\...\System.dll, PE32 25->59 dropped 97 Multi AV Scanner detection for dropped file 25->97 33 WerFault.exe 21 16 25->33         started        35 conhost.exe 29->35         started        37 sdclt.exe 31->37         started        39 conhost.exe 31->39         started        41 sdclt.exe 31->41         started        43 sdclt.exe 31->43         started        signatures13 process14 process15 45 control.exe 37->45         started        process16 47 Windows.exe 45->47         started        file17 65 C:\Users\user\AppData\Local\...\System.dll, PE32 47->65 dropped 79 Tries to detect Any.run 47->79 51 Windows.exe 47->51         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29da2190a5e040e36cf79c7948eca244100b64eea9236b7279f97381fdc3e695/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2023-02-23 12:54:17 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
21 of 39 (53.85%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fhncdeff4baog3hxtr4ur3fciqiawzhoverww4tz7fzyd7od42kq._file
Verdict:
malicious
Similar samples:
10a21f1899dd0e83ead2011c4638017bc4723a06be0c2058a9f3214da4974a8d
GuLoader
1a090934724f507a62abdf0d9b07f477cc504d50b469f52797df17fc8739549a
GuLoader
334911b248ad837e24303037e3733e61b119998dc1e1ce8bf7a444754a4cda01
GuLoader
472e9dd9be99ecc9a99dbed1014492ba726a6038a1e1b76621026d9b3b27fe89
GuLoader
4b1e07f367e2c29e90cad5cd928dc1572dbcedfb04cd722fba01c67a7d349361
GuLoader
89599ae785aa5f919018882cd10534cbae8ac89047ebbeda0b232d52fa545944
GuLoader
b076cbf14c6f0a9bbb4aaaf8242622cefb6bccdf2aef9e130b48a0552bb5016f
GuLoader
bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350
GuLoader
d8b0bc17d73b611e2ae4ac8addf6a90745af6107cfadffc7cc497a2db38afc87
GuLoader
+ 311 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:warzonerat downloader infostealer persistence rat
Link:
https://tria.ge/reports/230308-n9qyzaff6s/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Executes dropped EXE
Loads dropped DLL
Guloader,Cloudeye
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
MD5 hash:
8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 hash:
7cc1caaa747ee16dc894a600a4256f64fa65a9b8
Link:
https://www.unpac.me/results/e28e3f3a-cdbc-43fb-b09f-8ff43c65057e/
SH256 hash:
29da2190a5e040e36cf79c7948eca244100b64eea9236b7279f97381fdc3e695
MD5 hash:
a514bb17edd4f17598fd3a7ebf844626
SHA1 hash:
d97d40727ccd6e986d1dfaa29f2fab0a120d4570
Link:
https://www.unpac.me/results/e28e3f3a-cdbc-43fb-b09f-8ff43c65057e/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/29da2190a5e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29da2190a5e040e36cf79c7948eca244100b64eea9236b7279f97381fdc3e695

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372550/

Comments