MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 346f721674b0ca7df2703e4ba5847ccc6a9fb550e8ccc28599af452bf499ef82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 346f721674b0ca7df2703e4ba5847ccc6a9fb550e8ccc28599af452bf499ef82
SHA3-384 hash: 4b59f8900e6f18b491ad347cff129aad35ff211a25c91bfba853939e955fe3830a923c5db6ac71a44d2754d4f8fd8e57
SHA1 hash: 1bf039f271fdde1c57b812d9c2e6de8761a04452
MD5 hash: 5241768458545a52f0b32811a46ad15f
humanhash: four-iowa-kitten-hamper
File name:PURCHASE REQ.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:681'084 bytes
First seen:2023-12-11 13:23:06 UTC
Last seen:2023-12-18 08:51:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f0c714c36e6cc016b3a1f4bc86559e4 (199 x GuLoader, 14 x Formbook, 4 x AgentTesla)
ssdeep 12288:NsG0v3WS946/UGG9f6YNip5cfr9G2HRWSHyVYY5NmPCipQ+m:NsG0vmD6sv9VNc5k9rRWSHMYY5o/6+m
Threatray 759 similar samples on MalwareBazaar
TLSH T177E41247BA2C53AED3D6C671393A0271879DCF9305514A4ABBD8FE9C703108EAA572D2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e2ee8a8eb6d8ecf4 (56 x AgentTesla, 39 x RemcosRAT, 38 x GuLoader)
Reporter adrian__luca
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/465147/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/65770f633636548f374a6875/reports/859fd1ce-1418-4c76-87e0-88be360d11f8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/346f721674b0ca7df2703e4ba5847ccc6a9fb550e8ccc28599af452bf499ef82
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ac2d1e3-85d6-4327-bfd1-39e5ea370cff
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1358425
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Suspicious powershell command line found
Very long command line found
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/346f721674b0ca7df2703e4ba5847ccc6a9fb550e8ccc28599af452bf499ef82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/346f721674b0ca7df2703e4ba5847ccc6a9fb550e8ccc28599af452bf499ef82/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 08:37:20 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=grxxeftuwdfh34tqhzf2lbd4zrvj7nkq5dgmfbmzv5csx5ez56ba._file
Verdict:
unknown
Similar samples:
1eda1b310543e616e8b7b97e8e5f13597fb3a67ed9658b3daba2f49361563689
GuLoader
26e297f8f4bf5837af4c8b5132598c2eed45245c4f6baf0e8c960ff2a555989e
GuLoader
47e71db77dc8258663e0715a3b8d4a1c9e105f76a0c771d79654fd03236bfd1e
GuLoader
5f6366e20fde275710415f996748edb9f1091c0b0e47bf2ddc91a59ecd90d54c
GuLoader
6bb2f555edca2bc8b12c33f65b84d05a570043de008ec8d9a31a6b4952f01d02
GuLoader
7384dec8a7a13e1709dff93154c0cd796055798a19fe470f30c211a991d46849
GuLoader
87889f8e467ad320665a7205170c8f238076d87303822694d3064b9511913169
GuLoader
d42cc862ab4fb764a7a376e528a6373d2f939353d8ea223f2b1e1abd28c5cc84
GuLoader
e278ecca391be13103b9584a01fd2bbd4fabdfef4756e3870e48140a304894e2
GuLoader
f2ad5670f46f3be3f5bd5b6bd9d3122dad6a48664bad0e6f4418396e02ab8c00
GuLoader
+ 749 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231211-qr6mtafgbp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
a87bd092fa5bc00661525455b9f866b68c14c29224520c4e38f56f47234cfc1e
MD5 hash:
f5b0c649b0cfc103fb113d013d48cacb
SHA1 hash:
f89286966000cb053b7e94100c76ec6d1129af07
Link:
https://www.unpac.me/results/4e777221-5f15-4ce8-8163-c98c056bab98/
SH256 hash:
346f721674b0ca7df2703e4ba5847ccc6a9fb550e8ccc28599af452bf499ef82
MD5 hash:
5241768458545a52f0b32811a46ad15f
SHA1 hash:
1bf039f271fdde1c57b812d9c2e6de8761a04452
Link:
https://www.unpac.me/results/4e777221-5f15-4ce8-8163-c98c056bab98/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/346f721674b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/346f721674b0ca7df2703e4ba5847ccc6a9fb550e8ccc28599af452bf499ef82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 346f721674b0ca7df2703e4ba5847ccc6a9fb550e8ccc28599af452bf499ef82

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/465147/

Comments