MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c0acba2f36299d7d79205cb8fc5408ab82118c54203b82c441da14841637f49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c0acba2f36299d7d79205cb8fc5408ab82118c54203b82c441da14841637f49
SHA3-384 hash: 9224a3c7f7e1a298c44b06c7fbcb0b749e13499aceae7aacb35da4d5b35314cf687c699326c9f0195cd5c0e66afe579f
SHA1 hash: 1bf501f44753e7758f6ea3656d6aca4feec52c54
MD5 hash: f75ec550073da25ebe9097364b7e04df
humanhash: timing-asparagus-monkey-one
File name:Purchase Order No. STCPLPO22.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:373'104 bytes
First seen:2022-09-02 08:48:00 UTC
Last seen:2022-09-06 08:16:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (293 x GuLoader, 51 x VIPKeylogger, 48 x RemcosRAT)
ssdeep 6144:ET4DtVI0BhjnVOJXAV1XvlmSBTd7H8bR0jZQX25udxSy78sQt9Kk9v9CjDrK:ETKnBp0YX8kObRDG0xJ78sgKYv9KDm
TLSH T1788422203A00951FDEB28F392874AB3E99F9FC5209A06D479390BD9CFF11AC29D0D765
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b839f8ccbca6e6ac (3 x GuLoader)
Reporter madjack_red
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Frugteslsestes Gesturers
Issuer:Frugteslsestes Gesturers
Algorithm:sha256WithRSAEncryption
Valid from:2021-09-16T21:49:29Z
Valid to:2024-09-15T21:49:29Z
Serial number: -5e32add0a4907ce1
Thumbprint Algorithm:SHA256
Thumbprint: 7e70acc9368d6ace4395f0336e6a30e933d0d4f2f24249ebf349f7fd42e379df
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order No. STCPLPO22.exe
Verdict:
Malicious activity
Analysis date:
2022-09-02 08:48:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a255d68-ee29-4533-aebd-d7fa8af7b84a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307359/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61653174.20691.22643.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36365/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
nemesis overlay packed shell32.dll wacatac
Link:
https://www.filescan.io/uploads/6311c3bb3e9e50b1baf7f232/reports/19a7e59e-6721-4b05-b550-9a8ab9e659d4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/156db237-f120-4dd2-886b-e613b41e7fe2
Result
Threat name:
DBatLoader, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.expl
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1063864
Signature
Drops VBS files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Drops script at startup location
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected DBatLoader
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c0acba2f36299d7d79205cb8fc5408ab82118c54203b82c441da14841637f49/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-08-31 12:37:46 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqfmxixtmkm5pv4saxfy7rkark4ccggfiib3qlcedwquqqldp5eq._file
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220902-kqe6ksbbcm/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
MD5 hash:
564bb0373067e1785cba7e4c24aab4bf
SHA1 hash:
7c9416a01d821b10b2eef97b80899d24014d6fc1
Link:
https://www.unpac.me/results/9705b6b4-9405-4056-90e6-4a8dea3bb790/
SH256 hash:
5c0acba2f36299d7d79205cb8fc5408ab82118c54203b82c441da14841637f49
MD5 hash:
f75ec550073da25ebe9097364b7e04df
SHA1 hash:
1bf501f44753e7758f6ea3656d6aca4feec52c54
Link:
https://www.unpac.me/results/9705b6b4-9405-4056-90e6-4a8dea3bb790/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5c0acba2f36299d7d79205cb8fc5408ab82118c54203b82c441da14841637f49

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/307359/

Comments