MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51ec7c99d72fbc5b4c39af131579a1b2e49e20566565c831544c02dcab08c2a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51ec7c99d72fbc5b4c39af131579a1b2e49e20566565c831544c02dcab08c2a9
SHA3-384 hash: 17c83ad2de8e6f0b0e04ef77419a1c08da6bb1b4b55856e16df135bf8195d41a1ef2b04cb97a8e2b2e06f1770005ffe8
SHA1 hash: a632477b393af89ee68d94bd862ce28f8060f386
MD5 hash: 7daf58e15d8dc0f743e6ebedcba9ec98
humanhash: five-queen-william-autumn
File name:DHL AWB No. 1930620478.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:842'368 bytes
First seen:2023-12-19 15:27:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f67aeda01a0484282e8c59006b0b352 (51 x GuLoader, 9 x RemcosRAT, 9 x VIPKeylogger)
ssdeep 12288:voyuhjPzQQGSJJ2MAoEIu7uk/Edby8G1NSNv+pIrGygHX2VxnCt6UseCnJCMQfrE:voThjbXJLzEfKs1cNv+pIrHgmYjCcM3
Threatray 74 similar samples on MalwareBazaar
TLSH T13305236397D1DDF9DC3B82B4DC29165A6AA87F10809819CF368C3D625E33112993F2DE
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 292b95959f9d8d85 (4 x GuLoader)
Reporter abuse_ch
Tags:DHL exe GuLoader signed

Code Signing Certificate

Organisation:Acatalectic
Issuer:Acatalectic
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-09T09:42:48Z
Valid to:2026-03-08T09:42:48Z
Serial number: 25e06b999874ee64d571ccb2677a0d4a5245e2c3
Thumbprint Algorithm:SHA256
Thumbprint: dbad148e9eb0c8eac79a6efddfc5cbcff55459e00a37d88b4db10ef2453ec4c4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468527/
Detection(s):
SecuriteInfo.com.Adware.Generic12.HOD.14374.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6581b64f03487a0d25d3f3cd/reports/f17dcd41-63f3-4432-8a4e-3ceb24842c99/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/51ec7c99d72fbc5b4c39af131579a1b2e49e20566565c831544c02dcab08c2a9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ea67c1c-1a97-4763-b17d-572b6ab38a19
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1364626
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1364626 Sample: DHL_AWB_No._1930620478.exe Startdate: 19/12/2023 Architecture: WINDOWS Score: 100 45 www.skinnovations.xyz 2->45 47 www.filmgraphs.com 2->47 49 2 other IPs or domains 2->49 65 Snort IDS alert for network traffic 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 73 3 other signatures 2->73 12 DHL_AWB_No._1930620478.exe 34 2->12         started        15 wab.exe 3 1 2->15         started        17 wab.exe 1 2->17         started        signatures3 71 Performs DNS queries to domains with low reputation 45->71 process4 file5 41 C:\Users\user\AppData\Local\...\nsvD07C.tmp, data 12->41 dropped 43 C:\Users\user\AppData\...\Priksyning.Pyr, data 12->43 dropped 19 powershell.exe 12 12->19         started        process6 signatures7 75 Suspicious powershell command line found 19->75 77 Very long command line found 19->77 79 Found suspicious powershell code related to unpacking or dynamic code loading 19->79 22 powershell.exe 13 19->22         started        25 conhost.exe 19->25         started        process8 signatures9 81 Writes to foreign memory regions 22->81 27 wab.exe 6 22->27         started        process10 dnsIp11 55 www.magssin.com 167.86.119.6, 443, 49715 CONTABODE Germany 27->55 83 Maps a DLL or memory area into another process 27->83 31 sSUNblvGxYdLcibHN.exe 27->31 injected signatures12 process13 process14 33 prevhost.exe 1 13 31->33         started        signatures15 57 Tries to steal Mail credentials (via file / registry access) 33->57 59 Tries to harvest and steal browser information (history, passwords, etc) 33->59 61 Writes to foreign memory regions 33->61 63 3 other signatures 33->63 36 sSUNblvGxYdLcibHN.exe 33->36 injected 39 firefox.exe 33->39         started        process16 dnsIp17 51 www.filmgraphs.com 45.13.161.228, 49721, 49722, 49723 POWERLINE-AS-APPOWERLINEDATACENTERHK Netherlands 36->51 53 www.0q4es.site 107.148.132.244, 49717, 80 ASLINE-AS-APASLINELIMITEDHK United States 36->53
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/51ec7c99d72fbc5b4c39af131579a1b2e49e20566565c831544c02dcab08c2a9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51ec7c99d72fbc5b4c39af131579a1b2e49e20566565c831544c02dcab08c2a9/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2023-12-19 08:28:37 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=khwhzgoxf66fwtbzv4jrk6nbwlsj4icwmvs4qmkujqbnzkyiykuq._file
Verdict:
malicious
Similar samples:
257392d202836c2911f98af1975bd90e2c2bf9bbc3ebb59a241e1ae3ae4c1eac
GuLoader
26867f2c23465d6220bb9f81714c67d2769e54e4ebd0eb15ee3fa3d0dc3b6be3
GuLoader
278ace41e75d67fb91b5c2c6bf345caf8829d8d3ac99bf770a3f2ef51856630b
GuLoader
43acec52a82b408f6b5dc63f194f192fd83ce974960146540170b53090c39029
GuLoader
62ada442852dbc19b06705e9c1357acacdc8a964d61402df870366989501d5d5
GuLoader
976be3f04529b328e1fa9b0f173924c2a0dd3296734eb20fcd922b3171e5a547
GuLoader
c61cf6492202eaa8c4d974fcc83ddfaf44a0538d52ab233e6dca97a997945286
GuLoader
ed2a0e70294cc8ad10831275b462e430c5e0cea5525fbbadcf786bd81b11440c
GuLoader
+ 64 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/231219-svrn6sgaa9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Guloader,Cloudeye
Unpacked files
SH256 hash:
51ec7c99d72fbc5b4c39af131579a1b2e49e20566565c831544c02dcab08c2a9
MD5 hash:
7daf58e15d8dc0f743e6ebedcba9ec98
SHA1 hash:
a632477b393af89ee68d94bd862ce28f8060f386
Link:
https://www.unpac.me/results/584985d8-b028-4584-8031-17cfe0d29f47/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51ec7c99d72f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51ec7c99d72fbc5b4c39af131579a1b2e49e20566565c831544c02dcab08c2a9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 51ec7c99d72fbc5b4c39af131579a1b2e49e20566565c831544c02dcab08c2a9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468527/

Comments