MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38b1fa09afda5be40267c84dc88ed1291301a6f031b2de0185d40dd9372b2c45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38b1fa09afda5be40267c84dc88ed1291301a6f031b2de0185d40dd9372b2c45
SHA3-384 hash: e05d25e2224dd746b90df47d3d40c641cecd3bd9f54e827c31899daca1ed32d365f5ace3670269fbaacbe1cf71ec7e15
SHA1 hash: c3a0f067c0366b0818cb1a823322607509131916
MD5 hash: 8d4facbc82e988130375c5a5e7191e4e
humanhash: pizza-hot-blue-virginia
File name:Factura 0104109174pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:374'630 bytes
First seen:2023-07-10 13:44:31 UTC
Last seen:2023-07-11 05:56:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b40f29cd171eb54c01b1dd2683c9c26b (45 x GuLoader, 16 x RemcosRAT, 15 x VIPKeylogger)
ssdeep 6144:/oShfEPZVheNA+ff03PJRnEv9Qw7ojvWUqyIMf6rbnf3I:QqCnhe2e47W9Q3DWLsfO/I
Threatray 3'245 similar samples on MalwareBazaar
TLSH T14A844A9239DA356FDC2F4678035FEAB22A795CD0B382486E4F40361E4C3654A90EEDD7
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c88604b919c6c6c0 (77 x GuLoader, 10 x Formbook, 8 x AgentTesla)
Reporter lowmal3
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Factura 0104109174pdf.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-10 13:46:03 UTC
Tags:
installer
Link:
https://app.any.run/tasks/564331c7-1702-47fc-bad7-1da7f74464a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/413854/
Detection(s):
SecuriteInfo.com.W32.Trojan.MIVJ-5088.23426.25750.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Delayed reading of the file
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64ac0b609bd9f933fbb94138/reports/404d08db-2593-49b9-b5f0-717c61534577/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/38b1fa09afda5be40267c84dc88ed1291301a6f031b2de0185d40dd9372b2c45
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8e6c2c7c-46bd-4e33-b889-46e515362316
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1269790
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38b1fa09afda5be40267c84dc88ed1291301a6f031b2de0185d40dd9372b2c45/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcy7ucnp3jn6iathzbg4rdwrfejqdjxqggzn4amf2qg5snzlfrcq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
22b6816c45f86b303404b94b09b852a910d4ef335c05244c4acf6450ed86572b
GuLoader
2ac28f2913c6e2d231d0b67b49a3491f4046221a42ca349f586e0532ac257575
GuLoader
2cd9e8fc5b73c35422b79574233937370a03f6714ba9e813da80ac2974b4cf91
GuLoader
5069d4603ed9201d98988deb46e1e5627d622f47a498b3decb96ae1b02da3496
GuLoader
7c397e8792e6dbc64b6d5fd80a2ed4d82e76c1e0e9d7a262f089e1c1e8c438df
GuLoader
80c223f70302436ab080c4c7e8d75f3b3d60c4266a41d0afc56fc6c52cb04352
GuLoader
a5bbf13f56f953eb2313a2b3d2c0c06d14bc1455a06f01ec91a7f4e2e3757297
GuLoader
c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76
GuLoader
cd0120b7c1d114b73fd768a37de9e2c34fb1662a3e1dc620b34763410ccb6d7e
GuLoader
fed0556f87884c7d40eadd3e2f22d432da0b5854edda4404a936f5b66e00b534
GuLoader
+ 3'235 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/230710-q2dpsabg9y/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
b9631423a50c666faf2cc6901c5a8d6eb2fecd306fdd2524256b7e2e37b251c2
MD5 hash:
6ad39193ed20078aa1b23c33a1e48859
SHA1 hash:
95e70e4f47aa1689cc08afbdaef3ec323b5342fa
Link:
https://www.unpac.me/results/1f508cac-9a77-4e5a-8f44-2bcc1de80c94/
SH256 hash:
38b1fa09afda5be40267c84dc88ed1291301a6f031b2de0185d40dd9372b2c45
MD5 hash:
8d4facbc82e988130375c5a5e7191e4e
SHA1 hash:
c3a0f067c0366b0818cb1a823322607509131916
Link:
https://www.unpac.me/results/1f508cac-9a77-4e5a-8f44-2bcc1de80c94/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/38b1fa09afda/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 38b1fa09afda5be40267c84dc88ed1291301a6f031b2de0185d40dd9372b2c45

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/413854/

Comments