MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51b8aca1622a4a112aa586d6f25d2dd138de8bd6960fe7dfbab578ab5aebcd92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51b8aca1622a4a112aa586d6f25d2dd138de8bd6960fe7dfbab578ab5aebcd92
SHA3-384 hash: 0a2867c1771e818e67382abe4784fa7e9b94c1a869c1b218d22245aeb6ce552d25fbe22210e27389a0328a4c683997df
SHA1 hash: 90ad259fc4f277396a9e79d52a3b995ccd9b080d
MD5 hash: 5c50f3aebb0b53a4b0f4d91236ee9209
humanhash: winter-mirror-bravo-delta
File name:New Order - PSFK23TT002.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:424'280 bytes
First seen:2023-05-02 11:40:58 UTC
Last seen:2023-05-13 22:54:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (280 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 12288:T4FAe+jtbt1JcA8V6icnPrxj3VpVcpO3EG6wC/:CAe+jtbt1JcA8cnPVVpGs9w/
Threatray 589 similar samples on MalwareBazaar
TLSH T1CF94F1423554A0AFD82641329167BE279B53ACF45F905FF73B977B1E5822282E33C22D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 56d4fccccc686070 (5 x GuLoader, 3 x VIPKeylogger, 2 x AZORult)
Reporter abuse_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-18T09:54:59Z
Valid to:2025-12-17T09:54:59Z
Serial number: 7fcbcb7d74a4057e1e53a7730b5b0368d8822763
Thumbprint Algorithm:SHA256
Thumbprint: e2c6597e5ca542fd319460e040897419e7f0724aef0f3aa823155537bd358f68
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
254
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
New Order - PSFK23TT002.exe
Verdict:
Malicious activity
Analysis date:
2023-05-02 11:43:10 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/b19c77fb-db5c-4e92-a3da-342ec2e3882c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/386098/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66781607.1361.1324.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82226/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
buer comodo guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6450f6d1eabaad23dca15f2e/reports/eda12481-10a4-42cf-a235-92fb483c0584/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/51b8aca1622a4a112aa586d6f25d2dd138de8bd6960fe7dfbab578ab5aebcd92
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c6ff32ef-8c71-4d17-a185-470348e7badb
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1224613
Signature
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51b8aca1622a4a112aa586d6f25d2dd138de8bd6960fe7dfbab578ab5aebcd92/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-05-01 01:15:35 UTC
File Type:
PE (Exe)
Extracted files:
186
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kg4kzilcfjfbckvfq3lpexjn2e4n5c6wsyh6px52wv4kwwxlzwja._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0a80ba418f561098477e18cc42ddfc31796b2be3166ff6c99967b98388fe4826
GuLoader
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
GuLoader
5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599
GuLoader
629156764548d3bdbc062de11f6ad819bb0d7d166aac339b04674861df522206
GuLoader
723ff97e6559f6558c288ca693898592a21aab28c003883ca13b81667d7e3aef
GuLoader
85c6278bc488e1f7de26613f178423e147cdfc63088a9327733b531001496a02
GuLoader
ae7a2eab74a6dbeaa780094a1885f588405f0f8eda83910f14e22759d1f1b7aa
GuLoader
c627b8bb6c4ea0cf03aa2d209d0ecc53ff9784283328dabd44c1675aef0939c2
GuLoader
d03b9ead3cfc79c7495986f26b97dbe24b0558314a4993f595c80f8817295c48
GuLoader
dc5da53a5e93a588335b6561258d1540ac7d696c633d03de92e72d8e53254234
GuLoader
+ 579 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/230502-nte7jaah54/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
MD5 hash:
b0c77267f13b2f87c084fd86ef51ccfc
SHA1 hash:
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
Link:
https://www.unpac.me/results/c9dc360e-efc6-4030-9a5e-0795bd86799b/
SH256 hash:
51b8aca1622a4a112aa586d6f25d2dd138de8bd6960fe7dfbab578ab5aebcd92
MD5 hash:
5c50f3aebb0b53a4b0f4d91236ee9209
SHA1 hash:
90ad259fc4f277396a9e79d52a3b995ccd9b080d
Link:
https://www.unpac.me/results/c9dc360e-efc6-4030-9a5e-0795bd86799b/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51b8aca1622a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 51b8aca1622a4a112aa586d6f25d2dd138de8bd6960fe7dfbab578ab5aebcd92

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386098/

Comments