MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e93c7a4fbfb9407abd40c065b13cd3a4438483f008a06f2c692fc41b2d6dfee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e93c7a4fbfb9407abd40c065b13cd3a4438483f008a06f2c692fc41b2d6dfee
SHA3-384 hash: c270d61623f81f3a9014628ba642cc57b380fc58d70e1c862e1210bce25f0c36f5170701f371a3ca831ab95a8eb4b161
SHA1 hash: bc9bf2f5cc8e6f9fb1008905d0e7a6c3a5d3f43c
MD5 hash: b104e05eb8ff91c9745ae61b42e2c6da
humanhash: fourteen-skylark-lake-romeo
File name:fatura_20220209.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:126'768 bytes
First seen:2022-04-04 09:53:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:y3yddvw8pSutvb4Ty/W1XUpvFpNnst7gCO76kaulLkUNVWTDbL:y3yztLxo+WBgCgVfLkK8f
Threatray 976 similar samples on MalwareBazaar
TLSH T1A9C3F1105B75C027F8A15B700C79AB13BAFAE9116870861F67E0678A7C763819A3F74F
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Unblazoned
Issuer:Unblazoned
Algorithm:sha256WithRSAEncryption
Valid from:2022-03-30T13:07:08Z
Valid to:2023-03-30T13:07:08Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 94ff45716551bb7f44e3ab02e762815fb5751e90907f44fc902c8f8d964930a1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260442/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39392010.32245.4849.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12522/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/624ac041aa7e43c6a6b5da7b/reports/ae7f3fa6-e48f-4bba-9da6-ba1295d7bee5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c22e1de6-97e7-4674-a652-4ea58209bb0a
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/970167
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 602662 Sample: fatura_20220209.exe Startdate: 04/04/2022 Architecture: WINDOWS Score: 84 22 drive.google.com 2->22 26 Found malware configuration 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected GuLoader 2->30 32 2 other signatures 2->32 8 fatura_20220209.exe 20 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\Local\...\System.dll, PE32 8->20 dropped 34 Writes to foreign memory regions 8->34 36 Tries to detect Any.run 8->36 38 Hides threads from debuggers 8->38 12 CasPol.exe 13 8->12         started        16 CasPol.exe 8->16         started        signatures6 process7 dnsIp8 24 drive.google.com 142.250.185.78, 443, 49749, 49750 GOOGLEUS United States 12->24 40 Tries to detect Any.run 12->40 42 Hides threads from debuggers 12->42 18 conhost.exe 12->18         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e93c7a4fbfb9407abd40c065b13cd3a4438483f008a06f2c692fc41b2d6dfee/
Threat name:
Win32.PUA.Contebrew
Create hunting rule
Status:
Malicious
First seen:
2022-03-31 00:40:16 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
15 of 42 (35.71%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2j4pjh37okapk6ubqdfwe6nhjcdqsb7acfan4wgsl6edmww37xa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
076eee978cec1be476b4e103c42ca6081b8f6f73ddccdee87998df2f3b665f31
GuLoader
09b3b8a4933696acf7585e19d17045af88d17aba682eb437291a2ccdd5e76ba3
GuLoader
1298d5b931dadd03d47b41c51556fb5707a6af6df9b4b483686fdbf155d083fd
GuLoader
3944b429bf931ab06a980d4d15dfd69b5ea442c68938e0aee354e6c25311f94f
GuLoader
75f352e00f106877b2e7197ab6b6be0234aba379dec517009a7e26bfef612921
GuLoader
bf4737d1003544ac9fa65fd5b2bc42114baa9691b968f7905d70f8b2c82a9672
GuLoader
c5cbf9085eac3f9c2b9cbbf939c90f00d041f0f598b7762af7b371fe3cb61def
GuLoader
+ 966 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/220404-lw7nfshaek/
Behaviour
Enumerates physical storage devices
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
f1c5e4055c7f233e8399c7c9c51c7749def871a2dea82f9756ecca88bbf8e8f3
MD5 hash:
2cc286f4e276045adb888bd5fae938f5
SHA1 hash:
306df8c471b5b6d8597bc9048496b75a5a4d19a0
Link:
https://www.unpac.me/results/8f52ca4b-c075-4e3d-9510-73349b052085/
SH256 hash:
2e93c7a4fbfb9407abd40c065b13cd3a4438483f008a06f2c692fc41b2d6dfee
MD5 hash:
b104e05eb8ff91c9745ae61b42e2c6da
SHA1 hash:
bc9bf2f5cc8e6f9fb1008905d0e7a6c3a5d3f43c
Link:
https://www.unpac.me/results/8f52ca4b-c075-4e3d-9510-73349b052085/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/2e93c7a4fbfb9407abd40c065b13cd3a4438483f008a06f2c692fc41b2d6dfee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 2e93c7a4fbfb9407abd40c065b13cd3a4438483f008a06f2c692fc41b2d6dfee

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/260442/

Comments