MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a7494bf219e9421f2aaf50f46b391b813b1df67aa4a929dfed977a4ae8875bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	4a7494bf219e9421f2aaf50f46b391b813b1df67aa4a929dfed977a4ae8875bb
SHA3-384 hash:	5884958a34ddb8263fbaab3955b5b3b3f825f0eab0e9fb742af4f1e2e64f317409aaf36495cf7665ac568ac25f55f6d6
SHA1 hash:	c3505df403fb201a0e88754e6569218602591b1b
MD5 hash:	0cd77fa4bf9bd37559c7f4486fbb8fcf
humanhash:	carbon-low-william-burger
File name:	rZiraatBankasiSwiftMesaji_pdf.exe
Download:	download sample
Signature	GuLoader Alert Create hunting rule
File size:	162'590 bytes
First seen:	2023-05-22 12:54:48 UTC
Last seen:	2023-05-22 16:35:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	59a4a44a250c4cf4f2d9de2b3fe5d95f (70 x GuLoader, 13 x AgentTesla, 7 x AZORult)
ssdeep	3072:1DQkrZoosbIfXJ/ppJCMMcXfsNsYWDU9QyxUrMITgPJXmJ1fZdZkh+P/pkZEWPbe:1DpoeJFPk+YMIogI0PJWfZdqkPqZhPRo
Threatray	1'595 similar samples on MalwareBazaar
TLSH	T136F30222BBFA849FF62206712A3B9751E636A61271179ECB1B557F350D31603CE0B6C3
TrID	92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	e0a8e0c8e0a0a2ca (5 x GuLoader, 3 x Formbook)
Reporter	FXOLabs
Tags:	exe GuLoader

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

272

Origin country :

BR

Vendor Threat Intelligence

ANY.RUN Suspicious

Malware family:

n/a

ID:

1

File name:

rZiraatBankasiSwiftMesaji_pdf.exe

Verdict:

Suspicious activity

Analysis date:

2023-05-22 12:57:08 UTC

Tags:

installer

Link:

https://app.any.run/tasks/15c369d5-c330-47b2-ab4a-e6b906c322b2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

ClamAV Detected

Detection(s):

SecuriteInfo.com.ADWARE.Adware.Gen.171.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a file in the %AppData% subdirectories

Delayed reading of the file

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/646b662763a917e7a57ead69/reports/0b2ddf68-8bbf-4b55-a616-9f4768112a4a/overview

Hybrid Analysis Win/malicious_confidence_60%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/4a7494bf219e9421f2aaf50f46b391b813b1df67aa4a929dfed977a4ae8875bb

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a2b13579-26a1-44f0-9072-3d42adcdc17f

Joe Sandbox GuLoader

Result

Threat name:

GuLoader

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1239626

Signature

Antivirus detection for URL or domain

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4a7494bf219e9421f2aaf50f46b391b813b1df67aa4a929dfed977a4ae8875bb/

ReversingLabs TitaniumCloud Win32.Trojan.Guloader

Threat name:

Win32.Trojan.Guloader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-22 12:55:05 UTC

File Type:

PE (Exe)

Extracted files:

4

AV detection:

17 of 24 (70.83%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jj2jjpzbt2kcd4vk6uhunm4rxaj3dx3hvjfjfhp63f32jluiow5q._file

Threatray formbook

Verdict:

malicious

Label(s):

formbook

Alert

Create hunting rule

Similar samples:

16dbc44d14a74defb998a30220b5401ab840e1590e895a3ed5b2cb96b4c3a3c3

GuLoader

3af2c0904f3729e0408f6479f4222d5fbcf695f2b5cd32e8737e8690661bb18b

GuLoader

56462c46e025fb1ddfe7793825dbde4130e9db4052b271f21b60069efeba96f6

GuLoader

86c095bb19bc65eed3cd2edeb97ec3101b10818086329f7c6e6431ac67dcbd8b

GuLoader

97afcb0a77ff4e18dea8e6c22f392e67271db8316b112f9086904d7b4ab065ca

GuLoader

c4ab14d93e54b2c6e70fa0f284cee729b56186894dfdff4207cbc3d0c690c80f

GuLoader

c6b45b5143c6a8aefe0c044db55553615eae339eeb70280146235369ebd4f49b

GuLoader

d65074de0434f87442490fd9b1dead7f0feff44e1b49ee74ac9636f67c3d66d2

GuLoader

e044ecf0f485711cc6e4e8bbd56819838787b2365893783b3794a969ce2b5aeb

GuLoader

e57304555042d5835094d3ee4cdbcfc713e089f1af6b6764c76673a43c34c971

GuLoader

+ 1'585 additional samples on MalwareBazaar

Hatching Triage guloader

Result

Malware family:

guloader

Alert

Create hunting rule

Score:

  10/10

Tags:

family:formbook family:guloader campaign:mi62 downloader rat spyware stealer trojan

Link:

https://tria.ge/reports/230522-p5r6xage53/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Loads dropped DLL

Formbook payload

Formbook

Guloader,Cloudeye

UnpacMe 2

Unpacked files

SH256 hash:

75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

MD5 hash:

a436db0c473a087eb61ff5c53c34ba27

SHA1 hash:

65ea67e424e75f5065132b539c8b2eda88aa0506

Link:

https://www.unpac.me/results/183ab301-d660-4cbb-8554-f26c95000d56/

SH256 hash:

4a7494bf219e9421f2aaf50f46b391b813b1df67aa4a929dfed977a4ae8875bb

MD5 hash:

0cd77fa4bf9bd37559c7f4486fbb8fcf

SHA1 hash:

c3505df403fb201a0e88754e6569218602591b1b

Link:

https://www.unpac.me/results/183ab301-d660-4cbb-8554-f26c95000d56/

VMRay FormBook

Malware family:

FormBook

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4a7494bf219e/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI GuLoader

Threat name:

GuLoader

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/4a7494bf219e9421f2aaf50f46b391b813b1df67aa4a929dfed977a4ae8875bb