MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4468fe52ea5aeb3bb0673ea101f9989fe4a1ea3ee8f729c64f56f66324e94988. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4468fe52ea5aeb3bb0673ea101f9989fe4a1ea3ee8f729c64f56f66324e94988
SHA3-384 hash: 92469b5267f3e5c8dea7fd243d450402256eaaf8ef63c4c90d0890131e8dcf4e938fc8e90bf9437fa5798bec035da961
SHA1 hash: 6fc35822b5bad637ba5461e9adc7abf898e7379b
MD5 hash: 70150caa27d26356db5664b04c3a36b8
humanhash: timing-quiet-idaho-magnesium
File name:PO 5429200.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:480'632 bytes
First seen:2024-03-21 17:01:42 UTC
Last seen:2024-03-21 18:42:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f4639a0b3116c2cfc71144b88a929cfd (96 x GuLoader, 53 x Formbook, 37 x VIPKeylogger)
ssdeep 12288:dXRH7rx/Qptf60HXL2zGWXkGzb0dJXHuPBVIOwsH:dXRH7rxwzL2zHhF5e1sH
Threatray 81 similar samples on MalwareBazaar
TLSH T167A40251714494A3E8372671DC5FD62207237F1A47AA4A3F1293B7AD78F3362462FA07
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 08c0248ca4b0c1c5 (1 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Here
Issuer:Here
Algorithm:sha256WithRSAEncryption
Valid from:2023-09-27T23:47:43Z
Valid to:2026-09-26T23:47:43Z
Serial number: 1d3dcdbe5e1f86251904d004ef8c94b4110ceb95
Thumbprint Algorithm:SHA256
Thumbprint: 4b4187fc2046f264fc8f345a8bd28f66817e05c852d03e106b40c3b7e6f7faf0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
352
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
4468fe52ea5aeb3bb0673ea101f9989fe4a1ea3ee8f729c64f56f66324e94988.exe
Verdict:
Malicious activity
Analysis date:
2024-03-21 17:03:55 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/04e7eafd-dd0e-453b-9f14-013efd96daa0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.7018.23216.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Creating a file in the %temp% subdirectories
Delayed reading of the file
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Sending an HTTP GET request
Forced system process termination
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65fc6809757c624818b55fb4/reports/e578248c-9533-4918-994b-93abd865165f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4468fe52ea5aeb3bb0673ea101f9989fe4a1ea3ee8f729c64f56f66324e94988
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bdcfbd10-2e92-468e-ae22-4baaf3cb01fa
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1413382
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1413382 Sample: PO 5429200.exe Startdate: 21/03/2024 Architecture: WINDOWS Score: 100 31 www.agencybest.xyz 2->31 33 xiaoyue.zhuangkou.com 2->33 35 26 other IPs or domains 2->35 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 55 5 other signatures 2->55 10 PO 5429200.exe 6 32 2->10         started        signatures3 53 Performs DNS queries to domains with low reputation 31->53 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 10->29 dropped 13 PO 5429200.exe 6 10->13         started        process6 dnsIp7 43 172.93.160.2, 50362, 80 ASN-QUADRANET-GLOBALUS United States 13->43 67 Maps a DLL or memory area into another process 13->67 17 zsvhcPXDFfXeuyixTsrNvoCf.exe 13->17 injected signatures8 process9 signatures10 45 Found direct / indirect Syscall (likely to bypass EDR) 17->45 20 help.exe 13 17->20         started        process11 signatures12 57 Tries to steal Mail credentials (via file / registry access) 20->57 59 Tries to harvest and steal browser information (history, passwords, etc) 20->59 61 Modifies the context of a thread in another process (thread injection) 20->61 63 2 other signatures 20->63 23 zsvhcPXDFfXeuyixTsrNvoCf.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.quickstart.design 46.28.106.211, 50416, 50417, 50418 WEDOSCZ Czech Republic 23->37 39 xiaoyue.zhuangkou.com 47.76.88.64, 50388, 50389, 50390 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 23->39 41 11 other IPs or domains 23->41 65 Found direct / indirect Syscall (likely to bypass EDR) 23->65 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4468fe52ea5aeb3bb0673ea101f9989fe4a1ea3ee8f729c64f56f66324e94988
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4468fe52ea5aeb3bb0673ea101f9989fe4a1ea3ee8f729c64f56f66324e94988/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=irup4uxkllvtxmdhh2qqd6myt7skd2r65d3strspk33ggjhjjgea._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
formbook
Create hunting rule
Similar samples:
11bfafb62ab5e5c115862409c849f069dc0903abf0f864783bea73472db19932
GuLoader
20c6326c049e6fb205a5feb6266b8ed8061a31fd770dc7771c61995bd701fe7b
GuLoader
3854783710a249c1b8d553d298623ec63cc957281d703af14cf778bf18c06a34
GuLoader
496278998f3dbc4bd9cc37ee7e9628cc7a8372f55cb65c5f143b6723bec46096
GuLoader
4c97b96baa6e3c1ef907482abe84083c8813d45545d138ec5b9cc456f0027e1b
GuLoader
5fd79e8094fb1ac9dbc167219bc3218cf07a5679edc11f7847c5cd0b2e756309
GuLoader
9845e47adb818b782750715818bf6e47883961eaaf623db8c9554c03d371903c
GuLoader
e0516ae8e938052542c7e7a89713f02c0acf64a7ae9fe210ddbcd618d995e70b
GuLoader
e156c4e8e53c6b93166fea54fb521d9eb8bc74143ad52697a28809f5639205cf
GuLoader
f27ddc5f225f50a392bfcf9cbd59557d445f5ad47f1ad31f1a899aec1ec92611
GuLoader
+ 71 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/240321-vj3y6scf49/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
MD5 hash:
4add245d4ba34b04f213409bfe504c07
SHA1 hash:
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
Link:
https://www.unpac.me/results/dce145c8-2137-4063-9f6f-e471b3a84d58/
SH256 hash:
4468fe52ea5aeb3bb0673ea101f9989fe4a1ea3ee8f729c64f56f66324e94988
MD5 hash:
70150caa27d26356db5664b04c3a36b8
SHA1 hash:
6fc35822b5bad637ba5461e9adc7abf898e7379b
Link:
https://www.unpac.me/results/dce145c8-2137-4063-9f6f-e471b3a84d58/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4468fe52ea5a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4468fe52ea5aeb3bb0673ea101f9989fe4a1ea3ee8f729c64f56f66324e94988

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments