MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d
SHA3-384 hash: e529c4e363e72d201fc0a3b315a7451c77f6cbc56d1a314907f1a33aca9361c449dfce9da43c83eeee55643dd3195271
SHA1 hash: 68f4c94bf29fb0cbde97973083f85bf08382f2a2
MD5 hash: 9cef532829a4ca2cf13279ac134873d8
humanhash: music-pennsylvania-queen-double
File name:sahost.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:825'489 bytes
First seen:2024-08-09 17:36:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b40f29cd171eb54c01b1dd2683c9c26b (45 x GuLoader, 16 x RemcosRAT, 15 x VIPKeylogger)
ssdeep 12288:QQT9bUbPgROCAVtagRJGYkCLVaZxnHo6o0L9eC/CgDCJc2Lg:jTZOPgROAitkCQjH1e2n2Lg
Threatray 1'061 similar samples on MalwareBazaar
TLSH T1CF05F1B2E79818A7C82A1739C4779E322277EC5C6E719B4F235C74645FB3382225B50B
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 9a9898d8c4e4e0e0 (1 x GuLoader)
Reporter NDA0E
Tags:exe GuLoader RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
536
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
IEexplore.hta
Verdict:
Malicious activity
Analysis date:
2024-08-09 17:34:48 UTC
Tags:
opendir susp-powershell loader guloader
Link:
https://app.any.run/tasks/f436c152-5ab4-4cc3-8307-a5744f29e5f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.TR.Drop.Agent.134141.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b653c0b35234d5cc65c351
Tags:
Encryption Execution
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66b653c2b1392db6bab1b2a1/reports/f0e7f44f-b987-4055-86f2-9ce3c4785dc1/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1fa7dad7-6020-49ff-b6d1-a01f5c7894b3
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1490762
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1490762 Sample: sahost.exe Startdate: 09/08/2024 Architecture: WINDOWS Score: 100 38 euro-fier-vechi.ro 2->38 42 Antivirus detection for URL or domain 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 10 sahost.exe 1 20 2->10         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\Fikserbilleders.Suv, ASCII 10->30 dropped 32 C:\Users\user\AppData\...\opencv_ml2410.dll, PE32+ 10->32 dropped 52 Suspicious powershell command line found 10->52 14 powershell.exe 19 10->14         started        signatures6 process7 file8 34 C:\Users\user\AppData\Local\...\sahost.exe, PE32 14->34 dropped 36 C:\Users\user\...\sahost.exe:Zone.Identifier, ASCII 14->36 dropped 54 Writes to foreign memory regions 14->54 56 Found suspicious powershell code related to unpacking or dynamic code loading 14->56 58 Hides threads from debuggers 14->58 60 Powershell drops PE file 14->60 18 wab.exe 2 13 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 40 euro-fier-vechi.ro 188.214.214.160, 443, 49717, 49719 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 18->40 50 Hides threads from debuggers 18->50 24 cmd.exe 1 18->24         started        signatures12 process13 process14 26 conhost.exe 24->26         started        28 reg.exe 1 1 24->28         started       
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-08-09 06:32:20 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
8 of 38 (21.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mhop3jdjj2r7nox2wamp5oolzlhnfgprtfvuu6w266ndvaompcgq._file
Verdict:
unknown
Similar samples:
0aa8854411a4425eb86658545788feb9f69529b80c29964b8c6d0ee5314ae860
GuLoader
21773cea42a57dff11a05f01ea94f48fc457871b110a410e4ccb416a4e346229
GuLoader
3a262200a07c9f446ef95a399919a11960671591b90e56312c61b31c2a39dd3a
GuLoader
5113448d51807a38a76525708683448e742c5461ab21b14b7b4b5682acd627dd
GuLoader
86d0b3c927b629f98bb72beebcdee8a831df152a6a2cedb0d65270c23069037c
GuLoader
86d74d655679ee232b8fcf1a0013a17972b6b93aed25ae8beccd5864a9a1ecbe
GuLoader
b0af5e4fbe413f7f7f5d814e5f4c62815cf9df31316e3fa63a8a842245dec524
GuLoader
b300e18bf2da85f573018efd066241135b68e8097fedf22160cdf9c1eafd47dc
GuLoader
c52c6d6ea2de4840848a63dca6946a7242d7a2c5f918afe41f271c6aecf3a0af
GuLoader
f77b953a53a607e534572eda08dfaa91ad61f52491e9982a0790869c80a714c4
GuLoader
+ 1'051 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/240809-v65fhstbqk/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6afbde56-672a-47e7-98cc-6da6601ef4bd
Unpacked files
SH256 hash:
4bbc2904dd371073bbd411aa76be0e73dfdd445f2c61efe63f55085781813cbf
MD5 hash:
b594b796565158e677eb91827faa7fb6
SHA1 hash:
6d4b7c9942733837c5354731d7b2ed21676b9971
Link:
https://www.unpac.me/results/e06d6e46-9dda-4d3e-a545-b0915e95b67c/
SH256 hash:
61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d
MD5 hash:
9cef532829a4ca2cf13279ac134873d8
SHA1 hash:
68f4c94bf29fb0cbde97973083f85bf08382f2a2
Link:
https://www.unpac.me/results/e06d6e46-9dda-4d3e-a545-b0915e95b67c/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/61dcfda4694e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Excel file xls e2f8064a2b3a3b4a04f874a8666cddc6cfdf1159e487f88f225baa22f0c2efef

GuLoader

Executable exe 61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d

(this sample)

  
Dropped by
SHA256 e2f8064a2b3a3b4a04f874a8666cddc6cfdf1159e487f88f225baa22f0c2efef
  
Dropped by
SHA256 ce71b196e2d2e471973112e9ed9b9765927419eb31eb582786e0d022cd14af62
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3098020/
  
URLhaus
https://urlhaus.abuse.ch/url/3098021/
  
URLhaus
https://urlhaus.abuse.ch/url/3098008/
  
URLhaus
https://urlhaus.abuse.ch/url/3098010/
  
Dropped by
MD5 51a384c21f19b18a4fd736d1d8411136
  
Dropped by
MD5 a485f9c22bb28feb62d01c63e1cd9faa

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileA
KERNEL32.dll::GetWindowsDirectoryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments