MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50f7a5ef12735cba58b3990988df8384294b42863033acc3d1bd939c3d00bdc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50f7a5ef12735cba58b3990988df8384294b42863033acc3d1bd939c3d00bdc5
SHA3-384 hash: 3d441d7ff778b5c276a69409559122043ceba2af1e9377cbb159e39d8679a5f4e3446701bd4a033fa840bb383dd82671
SHA1 hash: 4a4ddf2315449dfcad4682fe6860e617b94e60b1
MD5 hash: 48f82f781035def809b0cdb2f66097a9
humanhash: jig-comet-skylark-chicken
File name:zamowienie.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:775'216 bytes
First seen:2024-10-22 11:16:34 UTC
Last seen:2024-10-22 12:57:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0293eec0b5432ad092f24065016203b2 (21 x GuLoader, 9 x RemcosRAT, 6 x Formbook)
ssdeep 12288:huOjVDNtkrL1G7jcqcGSEpg8PwEHeubieXThqj+2t5MZzWBcrek/P/6g9d9oucMQ:DxDTkd9qcepnLHeotqy2nMZzwGF/hd9o
Threatray 549 similar samples on MalwareBazaar
TLSH T19CF4235646B1ECBFDC254EB1E85509F2B37AAE01C8622F9F3B513E517D3100A9C2B297
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Anonymous
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Asketr
Issuer:Asketr
Algorithm:sha256WithRSAEncryption
Valid from:2024-07-07T06:15:25Z
Valid to:2027-07-07T06:15:25Z
Serial number: 27380871a98fc2a9d010b5f5e699c9926a436723
Thumbprint Algorithm:SHA256
Thumbprint: 86393c8af42ec06cbabeffcb898f002e13075b185bc69ae87f69c2d0639676e6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
470
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
zamowienie.exe
Verdict:
No threats detected
Analysis date:
2024-10-22 11:18:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b4414fc4-2b25-44df-a62c-30acdd149708

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671789af5a02f8393c72f77f
Tags:
Injection Exploit Blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the Windows subdirectories
Delayed reading of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/671789ae7184660038538efe/reports/f10ba03e-f0c9-4c55-a062-8d9660e52851/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/50f7a5ef12735cba58b3990988df8384294b42863033acc3d1bd939c3d00bdc5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c7127d27-59ad-46a9-8c8a-6f833eea435b
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1539242
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Found direct / indirect Syscall (likely to bypass EDR)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1539242 Sample: zamowienie.exe Startdate: 22/10/2024 Architecture: WINDOWS Score: 92 32 yourwebbuzz.net 2->32 34 www.yourwebbuzz.net 2->34 36 9 other IPs or domains 2->36 48 Antivirus / Scanner detection for submitted sample 2->48 50 Yara detected GuLoader 2->50 52 AI detected suspicious sample 2->52 10 zamowienie.exe 5 40 2->10         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\System.dll, PE32 10->30 dropped 64 Tries to detect virtualization through RDTSC time measurements 10->64 66 Switches to a custom stack to bypass stack traces 10->66 14 zamowienie.exe 6 10->14         started        signatures6 process7 dnsIp8 44 kambud.biz 185.17.43.223, 443, 49876 ARTNETPL Poland 14->44 68 Maps a DLL or memory area into another process 14->68 18 dmQRVBQMPL.exe 14->18 injected signatures9 process10 signatures11 46 Found direct / indirect Syscall (likely to bypass EDR) 18->46 21 verclsid.exe 13 18->21         started        process12 signatures13 54 Tries to steal Mail credentials (via file / registry access) 21->54 56 Tries to harvest and steal browser information (history, passwords, etc) 21->56 58 Modifies the context of a thread in another process (thread injection) 21->58 60 3 other signatures 21->60 24 dmQRVBQMPL.exe 21->24 injected 28 firefox.exe 21->28         started        process14 dnsIp15 38 www.newhopetoday.app 216.40.34.41, 49978, 49979, 49980 TUCOWSCA Canada 24->38 40 nutrigenfit.online 195.110.124.133, 49986, 49987, 49988 REGISTER-ASIT Italy 24->40 42 4 other IPs or domains 24->42 62 Found direct / indirect Syscall (likely to bypass EDR) 24->62 signatures16
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/50f7a5ef12735cba58b3990988df8384294b42863033acc3d1bd939c3d00bdc5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50f7a5ef12735cba58b3990988df8384294b42863033acc3d1bd939c3d00bdc5/
Threat name:
Win32.Trojan.Sonbokli
Create hunting rule
Status:
Malicious
First seen:
2024-10-22 11:17:05 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
2 of 38 (5.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kd32l3ysonoluwftteeyrx4dqquuwquggaz2zq6rxwjzypiaxxcq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0543e64a297bc79245dd496dd7bd5120f18d7a8a0177b0c0d437d5dadf42b2cb
GuLoader
228d8c35883fe69bb6c166ac7bf54ae5dbbb4598931db8b7e0289a8800379592
GuLoader
3371587a2fb2b6f7e515392941a6bf429391fc5b57f7aa0a10a7bada662497bb
GuLoader
50f7a5ef12735cba58b3990988df8384294b42863033acc3d1bd939c3d00bdc5
GuLoader
5cd0c636ee416e8a503cc97c659eb77cbd0a0ac831b7b9faa850c62b55cdb37a
GuLoader
89dad71e8e344e1153817f221f9acf44bddb75941adae5c17a92a461ae1e8424
GuLoader
9fde917e0e590e34264a37918d73be9645301cd68793cf28bbb8430dd1a6fed2
GuLoader
b7e3ed8add4ed1f4d78dd45fd97486240585c79ebb5f636949d0e2e62f3b6e14
GuLoader
d38b60251fc60c8100b31321735a3c50fc3f5692fbec18e6cebc03511c129a1c
GuLoader
error
GuLoader
+ 539 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery macos
Link:
https://tria.ge/reports/241022-ndpe9sthnl/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Verdict:
Malicious
Tags:
loader guloader
YARA:
NSIS_GuLoader_July_2024
Link:
https://app.threat.zone/submission/a75a2144-f02d-4fc3-bfd0-0c54d757f85c
Unpacked files
SH256 hash:
014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
MD5 hash:
12b140583e3273ee1f65016becea58c4
SHA1 hash:
92df24d11797fefd2e1f8d29be9dfd67c56c1ada
Link:
https://www.unpac.me/results/c41d247c-ee3c-47d6-84bc-17d7c2b240f7/
SH256 hash:
50f7a5ef12735cba58b3990988df8384294b42863033acc3d1bd939c3d00bdc5
MD5 hash:
48f82f781035def809b0cdb2f66097a9
SHA1 hash:
4a4ddf2315449dfcad4682fe6860e617b94e60b1
Link:
https://www.unpac.me/results/c41d247c-ee3c-47d6-84bc-17d7c2b240f7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/50f7a5ef1273/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/50f7a5ef12735cba58b3990988df8384294b42863033acc3d1bd939c3d00bdc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileA
KERNEL32.dll::MoveFileExA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments