MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d08ef8c047e8dbe3fcc4006acfd53b2b40fc9e02fef110884b1923ff067c69c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d08ef8c047e8dbe3fcc4006acfd53b2b40fc9e02fef110884b1923ff067c69c
SHA3-384 hash: 8b4d3f8ba1ee61e93f0649677559469590efa34ba83c2e2a55500f1aa7410a3e8237575641490053c1b2f7ff08ff074d
SHA1 hash: 2e2f00553172310fdc384a79916431ef41ca1562
MD5 hash: 95cc0f9df0a49b96c9b55fc9d1d81c5e
humanhash: carbon-angel-football-golf
File name:DR770124.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:309'505 bytes
First seen:2023-05-15 12:35:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a4a44a250c4cf4f2d9de2b3fe5d95f (70 x GuLoader, 13 x AgentTesla, 7 x AZORult)
ssdeep 6144:fDpoe8dhzfwRiQ8RwwDtgw4H6jyVRS0c53mjZcGiMc:uzIADtgw4aRxm9U
Threatray 1'221 similar samples on MalwareBazaar
TLSH T1C764AE83F58087D1E8F68A3124F6497F833F6E7A9A17470F668C7BB02DB71425227586
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 04cce2b88cf839c2 (7 x AZORult, 1 x Formbook, 1 x GuLoader)
Reporter James_inthe_box
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DR770124.exe
Verdict:
Malicious activity
Analysis date:
2023-05-15 12:37:22 UTC
Tags:
installer
Link:
https://app.any.run/tasks/d21dcd25-e7ea-41e9-9fda-503866290465

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/390117/
Detection(s):
SecuriteInfo.com.ADWARE.Adware.Gen.171.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
azorult overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/646226f818c2b9a49ad23c54/reports/a033a230-92e7-4fbb-ad8c-819dd7cb4529/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/3d08ef8c047e8dbe3fcc4006acfd53b2b40fc9e02fef110884b1923ff067c69c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c8671f8b-3ced-4845-a8ef-ed009808091b
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1233716
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 866700 Sample: DR770124.exe Startdate: 15/05/2023 Architecture: WINDOWS Score: 100 31 www.theguttercleaningservice.com 2->31 33 www.slatevehicles.net 2->33 35 31 other IPs or domains 2->35 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 7 other signatures 2->51 11 DR770124.exe 1 45 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 11->29 dropped 14 DR770124.exe 6 11->14         started        process6 dnsIp7 43 globosphera.org 92.222.244.238, 49834, 80 OVHFR France 14->43 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Tries to detect Any.run 14->61 63 Maps a DLL or memory area into another process 14->63 65 3 other signatures 14->65 18 explorer.exe 4 1 14->18 injected signatures8 process9 dnsIp10 37 kalidaddigifirm.com 192.254.234.51, 49839, 80 UNIFIEDLAYER-AS-1US United States 18->37 39 lorienmakessense.com 15.197.142.173, 49844, 49848, 80 TANDEMUS United States 18->39 41 12 other IPs or domains 18->41 53 System process connects to network (likely due to code injection or exploit) 18->53 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d08ef8c047e8dbe3fcc4006acfd53b2b40fc9e02fef110884b1923ff067c69c/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2023-05-12 20:09:51 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hueo7daep2g34p6miadkz7ktwk2a7spaf7xrcceewgjd74dhy2oa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06243274174960778e1adac528d0c2641cf742fa2ba0759c9fe762f7a0692aff
GuLoader
0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656
GuLoader
3e742163144a721a8d6733f9653c2acca1638eced30159467a6768aff047f25c
GuLoader
40af7ea5c438a5e5d39e726925d6ce11eadb0438f7dcaa50e753e7bb393f6775
GuLoader
5a2e7eb559e1d587d537ff0033d00fb27f7e17bf0c2a5db6bb3842b9e2fa9972
GuLoader
81ce31f6f3cd9a6a6037c411a1485bee35eaa93965fc6ccc2bd857c991fcad90
GuLoader
83104e0cf5b8f50ec9724e7a27ba87ef39ecbfd81d4f456d42b7fd06fd9c28e9
GuLoader
c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415
GuLoader
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
GuLoader
ee06ec93a5853e2753e8c758fda076944b7cb7cc657fb249b03d28cbc45db077
GuLoader
+ 1'211 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:bb27 downloader rat spyware stealer trojan
Link:
https://tria.ge/reports/230515-psbndsdg21/
Behaviour
Enumerates physical storage devices
Loads dropped DLL
Formbook payload
Formbook
Guloader,Cloudeye
Unpacked files
SH256 hash:
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
MD5 hash:
a436db0c473a087eb61ff5c53c34ba27
SHA1 hash:
65ea67e424e75f5065132b539c8b2eda88aa0506
Link:
https://www.unpac.me/results/3db09659-5dbd-4412-845c-47b205522d10/
SH256 hash:
3d08ef8c047e8dbe3fcc4006acfd53b2b40fc9e02fef110884b1923ff067c69c
MD5 hash:
95cc0f9df0a49b96c9b55fc9d1d81c5e
SHA1 hash:
2e2f00553172310fdc384a79916431ef41ca1562
Link:
https://www.unpac.me/results/3db09659-5dbd-4412-845c-47b205522d10/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/390117/

Comments