MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57955215d434a2d644bb5d59ca0e4068d49b3903f756e4d0a505b090b3cf494a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57955215d434a2d644bb5d59ca0e4068d49b3903f756e4d0a505b090b3cf494a
SHA3-384 hash: df70783bfad059555c246bb2267ebf313a96757d7b32c833fabaa90d510b26b6179f495306ba81e44999401d56a99e4d
SHA1 hash: 1270608c6ba21dcd0c83e50652c788945e17dbda
MD5 hash: 795cb3d81416d3c25c2ead5e68e4520f
humanhash: bakerloo-blossom-timing-zulu
File name:RFQ GEC-2804.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'146'864 bytes
First seen:2023-12-04 09:11:36 UTC
Last seen:2023-12-04 10:33:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 66fcdd6338ffed276966867e7cf86116 (9 x GuLoader, 2 x AgentTesla, 2 x RemcosRAT)
ssdeep 24576:AN+eS037HG+SBZB72CARo+KswCmw7bZoCUnvqpxH8iiBzpRCuxXD7Ld6W:UDS9v12C21KTExoNnvaqiqjFD7oW
Threatray 89 similar samples on MalwareBazaar
TLSH T1B935338183FEC5CBE9A38A3C41A766792FE5A3D6E949CB035B33890D6CB97101C571B4
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 10f0c4c8c8c4f010 (26 x AgentTesla, 18 x Smoke Loader, 10 x Formbook)
Reporter abuse_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-14T10:04:37Z
Valid to:2025-11-13T10:04:37Z
Serial number: 5eafb8618666b43261e846d60cfba5d6203dd869
Thumbprint Algorithm:SHA256
Thumbprint: d8015816d5d4fedba8a7efe1cea877848024c9829871f84ab6bee62f85dd2d8c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
297
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for Quotation- P000313.pdf.zip
Verdict:
Malicious activity
Analysis date:
2023-10-23 08:48:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/63b06dd5-ea53-41f7-988c-0dd8cd6d664b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462289/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.31183.22115.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Delayed reading of the file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/656d97e66d4756846dc76dcf/reports/90d462b3-f6b9-4695-a8e3-0be1fdbae5ca/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/57955215d434a2d644bb5d59ca0e4068d49b3903f756e4d0a505b090b3cf494a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6a345ae1-a180-4b5c-9a90-1075d844c128
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1352996
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Uses nslookup.exe to query domains
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/57955215d434a2d644bb5d59ca0e4068d49b3903f756e4d0a505b090b3cf494a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57955215d434a2d644bb5d59ca0e4068d49b3903f756e4d0a505b090b3cf494a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-23 07:34:09 UTC
File Type:
PE (Exe)
Extracted files:
354
AV detection:
16 of 37 (43.24%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k6kvefougsrnmrf3lvm4udsandkjwoid65lojuffawyjbm6pjffa._file
Verdict:
malicious
Similar samples:
152acaebcc2ede3d62e20ff008beb789c05490dff5af71854d98bb55ffbcea73
GuLoader
44b7dfcb3fee43eb6de84138c06b2fde701eac3521328c4c861cb64a5a44e429
GuLoader
57955215d434a2d644bb5d59ca0e4068d49b3903f756e4d0a505b090b3cf494a
GuLoader
90f4f826353051e2f4d26f43553e77312a00e6f4b05f1fa60b0d514d5d2fe895
GuLoader
+ 79 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/231204-k58fnsab5s/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
2d14e82ace016d0f0ee4fe29df6503955f6a77f3e705424427c1555411539a0e
MD5 hash:
61429bf00b8e34bd54c813bd2f5d09b9
SHA1 hash:
6b04e40ea730fe7e19f9b93ce2a76108f91910aa
Link:
https://www.unpac.me/results/f7fa7400-351d-47a1-8ad6-bcbc8caf440d/
SH256 hash:
57955215d434a2d644bb5d59ca0e4068d49b3903f756e4d0a505b090b3cf494a
MD5 hash:
795cb3d81416d3c25c2ead5e68e4520f
SHA1 hash:
1270608c6ba21dcd0c83e50652c788945e17dbda
Link:
https://www.unpac.me/results/f7fa7400-351d-47a1-8ad6-bcbc8caf440d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/57955215d434a2d644bb5d59ca0e4068d49b3903f756e4d0a505b090b3cf494a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 57955215d434a2d644bb5d59ca0e4068d49b3903f756e4d0a505b090b3cf494a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/462289/

Comments