MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 728d23546a438f5238ca4a534635f87086f2ffa4fc71e215a0222a733700de96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 728d23546a438f5238ca4a534635f87086f2ffa4fc71e215a0222a733700de96
SHA3-384 hash: b17fa0b198fa4d501d1612a65bc8d05d65619b1b91a3f186abeba703a9d0cb56180836fcfdceefa394a6919961d2521e
SHA1 hash: bce0e2c346036251c3c708931a163bedd9475a51
MD5 hash: d8bc3cf51b8aee3622dae45d163794b9
humanhash: london-bacon-golf-one
File name:Dekont.pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:659'784 bytes
First seen:2023-04-05 18:32:18 UTC
Last seen:2023-04-05 22:10:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:th+G1b/BfuqutQpHT6kOZO2IGlkr21rYfRChEa+CeKdH:th+G1b/oquOdakMlAulhEjsR
Threatray 829 similar samples on MalwareBazaar
TLSH T1E3E4F10A7D01510ECD6589338C735FE22EB36D2E89E81A1113FEBA5F98367D2765C683
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e070cec884e07889 (5 x GuLoader, 4 x Formbook)
Reporter abuse_ch
Tags:exe geo GuLoader signed TUR

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-11T03:14:09Z
Valid to:2025-10-10T03:14:09Z
Serial number: 503913a897c7f7e8101916dab7beccca29cb82f0
Thumbprint Algorithm:SHA256
Thumbprint: 7012d4e02316e837280cb09e87210a7d1a42c13e774f15e14c199b74685b73e6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
239
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dekont.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-05 08:15:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fdb9e160-aa55-4e3b-9d32-012a564a960f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380426/
Detection(s):
SecuriteInfo.com.Application.InstallCore.YE.4507.11796.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% directory
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76703/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
guloader icedid overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/642dbee02f938d3b4e0614b1/reports/f5890eeb-4fdf-40a2-85cb-f15a9a152583/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/728d23546a438f5238ca4a534635f87086f2ffa4fc71e215a0222a733700de96
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6bb980fe-77b8-4869-9578-cfc572e55840
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1208730
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 841646 Sample: Dekont.pdf.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 40 www.vinayakatlantis.com 2->40 42 www.sbreyuyufwkg.top 2->42 44 17 other IPs or domains 2->44 62 Snort IDS alert for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 4 other signatures 2->68 11 Dekont.pdf.exe 1 37 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\System.dll, PE32 11->32 dropped 34 C:\Users\user\AppData\...\gobject-2.0.dll, PE32+ 11->34 dropped 36 C:\Users\user\AppData\Local\...36MDllHost.exe, PE32 11->36 dropped 38 C:\Users\user\AppData\Local\...\BtvStack.exe, PE32+ 11->38 dropped 80 Tries to detect Any.run 11->80 15 Dekont.pdf.exe 6 11->15         started        signatures6 process7 dnsIp8 52 124.71.228.145, 49851, 80 HWCSNETHuaweiCloudServicedatacenterCN China 15->52 54 Modifies the context of a thread in another process (thread injection) 15->54 56 Tries to detect Any.run 15->56 58 Maps a DLL or memory area into another process 15->58 60 2 other signatures 15->60 19 RAVCpl64.exe 15->19 injected signatures9 process10 process11 21 rundll32.exe 13 19->21         started        signatures12 70 Tries to steal Mail credentials (via file / registry access) 21->70 72 Tries to harvest and steal browser information (history, passwords, etc) 21->72 74 Writes to foreign memory regions 21->74 76 3 other signatures 21->76 24 explorer.exe 3 1 21->24 injected 28 firefox.exe 21->28         started        process13 dnsIp14 46 www.minevisn.com 89.31.143.1, 49893, 49894, 49895 QSC-AG-IPXDE Germany 24->46 48 www.hangthanhlyonline.com 160.124.11.52, 49889, 49890, 49891 POWERLINE-AS-APPOWERLINEDATACENTERHK South Africa 24->48 50 13 other IPs or domains 24->50 78 System process connects to network (likely due to code injection or exploit) 24->78 30 WerFault.exe 4 28->30         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/728d23546a438f5238ca4a534635f87086f2ffa4fc71e215a0222a733700de96/
Threat name:
Win32.Trojan.Krynis
Create hunting rule
Status:
Malicious
First seen:
2023-04-05 01:25:47 UTC
File Type:
PE (Exe)
Extracted files:
64
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=okgsgvdkiohveogkjjjumnpyocdpf75e7ry6efnaeivhgnya32la._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
094dc63a99e7f4978723577fdbbbadc74ffa4b907368c0cd48b3d0b5f14e3fbc
GuLoader
169fdf358714cd65c4451fe9ec9cb72217367296298f5b570b3e6c74f1a59f61
GuLoader
2f19bd5bfb2adbefdfe7237239415513183d3503e433ad08223197fc9af0dc8e
GuLoader
41618cb3eabd9750fa776f31b8117e4025fd3d03af5e30d62100d84ce8101406
GuLoader
4bf75ced5431972bf4d34227e7fbf107f16ca9879bee1d0b225321ee100e3a11
GuLoader
601d52629466f941c618f71698c7ef86fa1de8329e3de879960b10168c28c5ba
GuLoader
abb75e66ee83ac1c6c680292e35c0fbc2c40020661da883a3787767e87739127
GuLoader
b394bd2bf5686012f76693ff9daddc941662d0c564e4ac4a530ea34b4b0d8cc6
GuLoader
c0303022c1e2e014df91a6ff93d540d2e734a938f93e16649941c418d54e5a62
GuLoader
e29c4da2ffb29da2ca94953e638058674b6234ac0c75864d644a661d582a3ab1
GuLoader
+ 819 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230405-w67fjsah2x/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
c8bbe9cc08eee002ffd79946b4e8fea46adb73ad38c4a98bc502f80a27cf7cb2
MD5 hash:
72cacb6c889d0d99f5a7cf59f208f3cc
SHA1 hash:
b78abb737a0323d448272ac846b315355fc7df8d
Link:
https://www.unpac.me/results/a540f88b-f4eb-4e46-89aa-7b235ec10e5d/
SH256 hash:
728d23546a438f5238ca4a534635f87086f2ffa4fc71e215a0222a733700de96
MD5 hash:
d8bc3cf51b8aee3622dae45d163794b9
SHA1 hash:
bce0e2c346036251c3c708931a163bedd9475a51
Link:
https://www.unpac.me/results/a540f88b-f4eb-4e46-89aa-7b235ec10e5d/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/728d23546a43/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/728d23546a438f5238ca4a534635f87086f2ffa4fc71e215a0222a733700de96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380426/

Comments