MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 681410b16401ea5300bb40bfbb69e2f01d14ab931f3f8597a2be00dcac74443b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	681410b16401ea5300bb40bfbb69e2f01d14ab931f3f8597a2be00dcac74443b
SHA3-384 hash:	731b8d6355fde63719ceb9f4794778fa524db5bff046c7f78f9c0bbe84e557c588e0757f14f53eab6d811989b0035089
SHA1 hash:	745c96b23553bb28e363f8aefe672babf28e9137
MD5 hash:	9a3ddb7a2fc19c99ecd1e8509b793a82
humanhash:	alabama-mars-alaska-island
File name:	IAENMAIL-A4-230711-0830-0009025.pdf.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	612'320 bytes
First seen:	2023-07-11 09:35:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep	12288:XbQTW8uiZCCUk2HgHfRifMYYNAjcJmSI6BZAohBudTe345UXCbgs:8W81zUk2m5i0YsAWB6ohgFetCbB
Threatray	1'408 similar samples on MalwareBazaar
TLSH	T1B3D42366198AC4FAF6FA07B01BF7E37BA1BDD952311295C757B03F5A6A3C2658D002C0
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	pr0xylife
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

294

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

IAENMAIL-A4-230711-0830-0009025.pdf.exe

Verdict:

Suspicious activity

Analysis date:

2023-07-11 09:36:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/724393e4-c9bc-41df-b6a6-c7b602aa3259

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/415445/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/97121/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/64ad2284a15fc7eb4fd0b5f3/reports/e43a0219-0b95-4322-b100-4ed2d342d5ab/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/681410b16401ea5300bb40bfbb69e2f01d14ab931f3f8597a2be00dcac74443b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/518a22a6-9dc5-4580-b280-a01aec3417a1

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1270722

Signature

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Uses an obfuscated file name to hide its real file extension (double extension)

Very long command line found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/681410b16401ea5300bb40bfbb69e2f01d14ab931f3f8597a2be00dcac74443b/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2023-07-11 09:36:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nakbbmleahvfgaf3ic73w2pc6aorjk4td47ylf5cxyanzlduiq5q._file

Verdict:

malicious

Label(s):

formbook

GuLoader

192cc32d2b512627692171a834ddc243f4d2eb6402b301c6ce4f495c08720f98

GuLoader

1c809aae258aaa9f029a80ed7b754eead202037eaa84b95c1ee9df2e49faf927

GuLoader

38b1fa09afda5be40267c84dc88ed1291301a6f031b2de0185d40dd9372b2c45

GuLoader

4053220e58d30e514ab543a64e3854e7c411bfa084c000172cdfe6d3e8f65875

GuLoader

4d6ae0a40fcc30fab170c3e70dd5076253ddf9fa6ec0886d39cffbd9df99ae52

GuLoader

8731774a17b8d40b743f7fd6ff83d45ca5890f8e1371be8a0755186f2fc3cda0

GuLoader

c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76

GuLoader

e4b6f95557a2356d046da60a1ca4e52d302618108fae774b8128ffc0586366e0

GuLoader

+ 1'398 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/230711-lkxn4shc2w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Checks QEMU agent file

Checks computer location settings

Guloader,Cloudeye

Unpacked files

SH256 hash:

681410b16401ea5300bb40bfbb69e2f01d14ab931f3f8597a2be00dcac74443b

MD5 hash:

9a3ddb7a2fc19c99ecd1e8509b793a82

SHA1 hash:

745c96b23553bb28e363f8aefe672babf28e9137

Link:

https://www.unpac.me/results/a567c13c-fd35-43db-b96f-5ddb8306feef/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/681410b16401/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/415445/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample