MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f836a2654cceccebabea728ed2d43426153053660a7fbdab3c86b8cd28ef31d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f836a2654cceccebabea728ed2d43426153053660a7fbdab3c86b8cd28ef31d
SHA3-384 hash: 06b7ff8ac8f349670883c78111524b9e573264d877c854ded318c7f9eaf6ce82b8600e976b5128dba4d5e9b2e69c0d64
SHA1 hash: 171106c00aa7c75792c26f9717ef5ba94beaa88c
MD5 hash: 8a9c7a9580d153a0f9c938b50f7aad3e
humanhash: edward-florida-uniform-cup
File name:RFQ001.pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:345'180 bytes
First seen:2023-07-10 07:55:16 UTC
Last seen:2023-07-10 11:08:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (386 x GuLoader, 59 x RemcosRAT, 43 x VIPKeylogger)
ssdeep 6144:qhgqhwXoAoVHX2B5lb5Y3/czJa0YXBldsDe8ugrN+KWTSqaq6lpg59GAfd2cm:pqvVHX8l1Y3n0KBcq+Ner2U9xocm
Threatray 929 similar samples on MalwareBazaar
TLSH T10B74BE2B6B3B9921EE7C7032F2D6D5B357384CB15528B42131D0FE13287767A6A0E18E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ccf4d4dcdedee9b1 (4 x GuLoader)
Reporter lowmal3
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
4
# of downloads :
275
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/413397/
Detection(s):
SecuriteInfo.com.Variant.Jaik.154612.4337.10660.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/96800/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64abb992ef1403cd7500e568/reports/f7cd51ec-f7e4-4b2e-bb99-43952b30c213/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/4f836a2654cceccebabea728ed2d43426153053660a7fbdab3c86b8cd28ef31d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/162c53d5-caff-4e06-ba3d-a0669b8bdb8d
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1270330
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1270330 Sample: RFQ001.pdf.exe Startdate: 11/07/2023 Architecture: WINDOWS Score: 88 23 Snort IDS alert for network traffic 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected GuLoader 2->27 29 4 other signatures 2->29 7 RFQ001.pdf.exe 8 35 2->7         started        process3 file4 19 C:\Users\user\AppData\Local\...\System.dll, PE32 7->19 dropped 31 Writes to foreign memory regions 7->31 33 Tries to detect Any.run 7->33 11 CasPol.exe 13 7->11         started        15 CasPol.exe 7->15         started        signatures5 process6 dnsIp7 21 185.252.179.25, 50313, 80 LVLT-10753US Germany 11->21 35 Tries to detect Any.run 11->35 17 conhost.exe 11->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f836a2654cceccebabea728ed2d43426153053660a7fbdab3c86b8cd28ef31d/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-10 07:43:24 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6bwujsuztwm5ov6u4uo2lkdijqvgbjwmct7xwvtzbvyzuuo6moq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0c3bffacf3e541cfdd0b5552e048c57d313252709926031f1d4672717f9beae3
GuLoader
144750d91bdca21697d15f3dd12845497d62715c6c7251b033d039802795cbda
GuLoader
3e742163144a721a8d6733f9653c2acca1638eced30159467a6768aff047f25c
GuLoader
7132f9426f3bbadaedd15c39968640ffc5ad207b3c8f450d642174e2942f09d7
GuLoader
991ab8c38fea82c09c29d8ba23996b3626d0a6d6dad0493e95081cee5eab039e
GuLoader
a9acac2bc60cd65b24257dcd59cba1f79a5d8ebe6b68cffef12968038acd2675
GuLoader
+ 919 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader collection discovery downloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230710-jsneashc38/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks QEMU agent file
Loads dropped DLL
AgentTesla
Guloader,Cloudeye
Malware Config
C2 Extraction:
https://api.telegram.org/bot5981325437:AAF_K9Ctfdt_Ma8f38KxYX5iSOf-xbTvaAE/
Unpacked files
SH256 hash:
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
MD5 hash:
0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA1 hash:
10c51496d37cecd0e8a503a5a9bb2329d9b38116
Link:
https://www.unpac.me/results/808a8bd6-2407-4fe5-a221-c3686bba1b15/
SH256 hash:
4f836a2654cceccebabea728ed2d43426153053660a7fbdab3c86b8cd28ef31d
MD5 hash:
8a9c7a9580d153a0f9c938b50f7aad3e
SHA1 hash:
171106c00aa7c75792c26f9717ef5ba94beaa88c
Link:
https://www.unpac.me/results/808a8bd6-2407-4fe5-a221-c3686bba1b15/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4f836a2654cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 4f836a2654cceccebabea728ed2d43426153053660a7fbdab3c86b8cd28ef31d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/413397/

Comments