MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787
SHA3-384 hash: 697253de4a247ed6a139490eb522d0e3475518c4f618fd11c6a23acb6fc670f4c4915de418ae41bae3d47cc4c731ed7d
SHA1 hash: 074a0d1433012c4d99ca85926ba57df9581167f3
MD5 hash: b3819313abbaa2c048f2da0577aa40a6
humanhash: blossom-california-undress-hamper
File name:QUOTATION#893034AUG23_BRIDGESTONE_KBG_SAMPLE_PRODUCTS.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:926'960 bytes
First seen:2023-08-11 13:28:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 24576:ucjuuls87yo9MpaZYtEvgZeAweRe/rSCSeowpdZ:njuuCiy0bZUeAweReMU
Threatray 1'566 similar samples on MalwareBazaar
TLSH T1A7152307BB9C8FEEE39A03B2B47A5B31C254DF831512A99376F4FE6D253265C28021D1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e2ee8a8eb6d8ecf4 (56 x AgentTesla, 39 x RemcosRAT, 38 x GuLoader)
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-07-19T09:43:44Z
Valid to:2026-07-18T09:43:44Z
Serial number: 0f0490976af4e3f737119ceb24a2ec2634b7dd7c
Thumbprint Algorithm:SHA256
Thumbprint: 697c1f399c373b8df1b40f8799179f36292505b447600be9d67439282d2857ca
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
QUOTATION#893034AUG23_BRIDGESTONE_KBG_SAMPLE_PRODUCTS.exe
Verdict:
Malicious activity
Analysis date:
2023-08-11 13:31:08 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/d05beaed-f260-4396-ae3f-f163134b7b89

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442146/
Detection(s):
SecuriteInfo.com.FileRepMalware.28502.28466.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102523/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Downloader/GuLoader
Link:
https://www.hybrid-analysis.com/sample/4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/424dad4d-7276-4b5b-ad59-f8ce6bcbe260
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290032
Signature
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Found malware configuration
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1290032 Sample: QUOTATION#893034AUG23_BRIDG... Startdate: 11/08/2023 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected GuLoader 2->61 63 4 other signatures 2->63 8 QUOTATION#893034AUG23_BRIDGESTONE_KBG_SAMPLE_PRODUCTS.exe 2 32 2->8         started        12 exploreres.exe 17 2->12         started        14 Realizable.exe 17 2->14         started        16 2 other processes 2->16 process3 file4 41 C:\Users\user\AppData\Local\...\System.dll, PE32 8->41 dropped 71 Tries to detect Any.run 8->71 18 QUOTATION#893034AUG23_BRIDGESTONE_KBG_SAMPLE_PRODUCTS.exe 3 12 8->18         started        43 C:\Users\user\AppData\Local\...\System.dll, PE32 12->43 dropped 23 exploreres.exe 7 12->23         started        45 C:\Users\user\AppData\Local\...\System.dll, PE32 14->45 dropped 73 Multi AV Scanner detection for dropped file 14->73 25 WerFault.exe 21 14->25         started        47 C:\Users\user\AppData\Local\...\System.dll, PE32 16->47 dropped 49 C:\Users\user\AppData\Local\...\System.dll, PE32 16->49 dropped 27 WerFault.exe 16->27         started        29 WerFault.exe 16->29         started        signatures5 process6 dnsIp7 53 66.154.113.5, 49745, 49750, 80 ASN-QUADRANET-GLOBALUS Canada 18->53 37 C:\Users\user\AppData\...\Realizable.exe, PE32 18->37 dropped 39 C:\ProgramData\explorers\exploreres.exe, PE32 18->39 dropped 65 Creates autostart registry keys with suspicious names 18->65 67 Creates multiple autostart registry keys 18->67 69 Tries to detect Any.run 18->69 31 exploreres.exe 17 18->31         started        file8 signatures9 process10 file11 51 C:\Users\user\AppData\Local\...\System.dll, PE32 31->51 dropped 55 Multi AV Scanner detection for dropped file 31->55 35 WerFault.exe 21 16 31->35         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-11 07:32:41 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jpd4ozdczje5tflqfpx5uvsh6qfxffsz2hmxcklshky6wtwuk6dq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0a0aee862a220ef9b3c5930319ab048750c71d6a8c24397006220c04627006a4
GuLoader
1e8562d47b5f32ebf2e36d61906d2c981f166968f496f8b9b2c917c80a5d5ba5
GuLoader
30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02
GuLoader
40e40c04f4357fec11cb9037a802efbe582a4ac64e215909f2c7770475e5a252
GuLoader
79892ac57af9846e3b718c7388c205438a9d0706a597b67638105d8b5572256d
GuLoader
8dde83a4df8de1f092cf5eccbd7f598c9a7d08db43589a683567bda919f6e221
GuLoader
c77a8fafae3b0db31b7dc09f21dc5ef908ade8a564a5c25006ee172500dc0737
GuLoader
d80fc0ab17aed47dc4c1b7ec32991af6d0e600f12b1c04f40ee7b9c962fa789d
GuLoader
e7577fff79de0c5b21ec3684a69f99c795cd7f945c3c71b9b4f414e07a7e34fd
GuLoader
ee548086db277e0febd2797b582a734ac451a9cd050540d2a1fd08afa6232721
GuLoader
+ 1'556 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:sales downloader persistence rat
Link:
https://tria.ge/reports/230811-qq8e1sfa6s/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Executes dropped EXE
Loads dropped DLL
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
64.188.19.202:1604
Unpacked files
SH256 hash:
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
MD5 hash:
55a26d7800446f1373056064c64c3ce8
SHA1 hash:
80256857e9a0a9c8897923b717f3435295a76002
Detections:
win_qtbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/ed9035e1-5f67-4f89-a7e5-744f34a8a657/
Parent samples :
dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f
e689963b4319dd5d5249ac1c629af5951f4e90db8040bf7ee33492e54c2c6487
bba7b7e91056db7fb6f628ab6478960b96c1a9d8606d6d5b4d74d5043b2bad79
30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02
2952bf5efc5b011349d22cbe6e7a813f0ae014d145f23115184a36a1448262d0
4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787
830b4dcec27e5d45a9bb7bc538fc026e4af5c3a18de4a71e80b066afe059ac54
2db92a3fa08dc8e97b4f2651e9ec1d123d2556ce5bc7ec9474672767f6505e26
f2b345fcebcd9ed2e342399cfe9819abee7c3642efb6279ad3b4c940555d4564
101057440710c8766fc47fb315ba9fb471c633079c034d5d213e3011cfe075a9
252c26a5ea749569e41b4ce291ea4ff21d08ca884123c8ff171433a359455033
601bc4c4ff50e846a29e702f894f72b8cea1c7c200b363795ed7905784dde043
337b4c24e057d2585f87ed8ad3711ea4c59a3ae1b0895176d983bbc0c64a1d11
1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764
f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea
31eb29c56f113f47c0e4d29f346f685db8a00b9394efa9643caafa254f0618d7
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
406a9e03ab016d68a3aa919ac67397a83081f3ef478baf752d90545ec0fac6dc
e1e722daed3f9e886b15a541de7d67a023f42b2af431a5b6879ad7d32a1c36bf
170825eaa838a2e43fc76d3ad458982182f7b5471554ffd993525fd928b21d3d
1d8f40654fc90da579349546b0c74fc7334ad8a6fcbf21f87815715e644950d1
2a089fc9b24c5253a913526be0ac2ee62b911a96645cb70885d678c91dcb83c9
76f267de8fd5fa4744fb8294ee9a4765afeba03b36244527feca60a32df155af
f338b027a3117b82aafca870aaecb64264f238055afd3d598c90ef102092022a
3a66e54745e3455f2a8ecf35cc2ae7f3e4c7f960b547a65a55ac8ee4209b37e4
a7d2ea641dbc8e50000e6b42c9cca200fa25d5e37ddd1857eb489795ab5564ee
8e90738e8d2c488ac315737c15f39a977d989200cdb20b42a63a1f7bc8438a1e
f214476db64248c82861c7b27fd55186beaf2e292cbe013d47f17305c3b2e95d
8da8762a0f3794de100bd1800856136928880e8a9d0be42eb758809bca1bd0e3
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
ec06ca55bb1ff5e2c51e7756302a11bfc5341b6baa323788d93d646bd84602da
9a66af305ab345c37b408f496c0ad1251e1346f41586742df225af2c6564d576
9b2665438001f2c82c0737efac921004f3435efb29d1edffede8e45683a164a9
SH256 hash:
4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787
MD5 hash:
b3819313abbaa2c048f2da0577aa40a6
SHA1 hash:
074a0d1433012c4d99ca85926ba57df9581167f3
Link:
https://www.unpac.me/results/ed9035e1-5f67-4f89-a7e5-744f34a8a657/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4bc7c76462ca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/442146/

Comments