MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7916f9aeaf36a8fec95e5a5cb7372f509e6597d3b8648a636b425f382e6993f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7916f9aeaf36a8fec95e5a5cb7372f509e6597d3b8648a636b425f382e6993f8
SHA3-384 hash: fb230cee9983ad978e3f1248d6bd683174c48a95b8d4e363e456baa58ae76eb627e99f8a491d86830d006eb1272beb26
SHA1 hash: fc57d03c3ff916c89beaacc7f29d1080bb334cae
MD5 hash: 9f105c65050bd70378e400a18468ea23
humanhash: winter-jupiter-mike-illinois
File name:SWIFT09022022pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:239'504 bytes
First seen:2022-02-09 16:00:56 UTC
Last seen:2022-02-09 17:48:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:fbG7N2kDTHUpouekcFpY6Dl2eb966tSKtWnDR8F9V7qC6KqNKZV89uv9TDJ/+1Gl:fbE/HUfoUwtWnFI94n8+uv9JG1G1sExz
Threatray 1'541 similar samples on MalwareBazaar
TLSH T1AA34F150B250EC6BD85312F0EC35E6F11BEDEE05D5368A472762BF0CB9B7742242B91A
File icon (PE):PE icon
dhash icon b270e896ceccd4cc (4 x GuLoader, 1 x AgentTesla)
Reporter James_inthe_box
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:COUPLETS
Issuer:COUPLETS
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-09T10:56:16Z
Valid to:2023-02-09T10:56:16Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 060bdf8be7e79972728b834be82f7c71a1227b87dac9cce926aa6e1ac5989789
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239696/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.4243.8979.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Creating a window
Creating a file
DNS request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6531/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6203e549c649d4049451b0de/reports/c3a3b2d5-cdb7-4fbc-a779-f355c672a45b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ef1332b4-508c-4080-9f2f-0d1caf9a5816
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/937022
Signature
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 569500 Sample: SWIFT09022022pdf.exe Startdate: 09/02/2022 Architecture: WINDOWS Score: 48 22 Sigma detected: Suspicious Svchost Process 2->22 6 SWIFT09022022pdf.exe 24 2->6         started        10 explorer.exe 2->10         started        process3 file4 16 C:\Users\user\AppData\Local\...\vbsedit32.dll, PE32 6->16 dropped 18 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 6->18 dropped 20 C:\Users\user\AppData\Local\...\System.dll, PE32 6->20 dropped 24 Tries to detect virtualization through RDTSC time measurements 6->24 12 explorer.exe 6->12         started        14 svchost.exe 10->14         started        signatures5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7916f9aeaf36a8fec95e5a5cb7372f509e6597d3b8648a636b425f382e6993f8/
Threat name:
Win32.Trojan.Shelsy
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 16:00:21 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pelptlvpg2up5sk6ljolonzpkcpglf6txbsiuy3lijptqltjsp4a._file
Verdict:
suspicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
00caa54a646237cf00f305613cdd9e0e8dd8e4dcd9706bbdfc71e22f6e673683
GuLoader
39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5
GuLoader
4959de8067a62478d5192edb0c7822484ea3f75c643100b4c73b0165eadd8911
GuLoader
7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
GuLoader
c5072b4120ac9daa3dc0e000cce9e6d6e3a1ca01fed779e0b43d877a744409cd
GuLoader
c5c0fbca778f53dc085d84ad3f038e4a20bce7add5f07012594194bc3bca522a
GuLoader
fee1019ba9c5d5229717f864c5dc8e1b49150b0c4db83f4a2c9b36d51eb03025
GuLoader
+ 1'531 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220209-tf782saha6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/124f7d0e-c9fa-4359-b2a6-a712a39f232d/
SH256 hash:
0b2277d8aaf36e01aca3ae33e227b44bebc541a9c5cef6eb4fef93e96821a6cd
MD5 hash:
b1ba7a8263281244782ca5604876cb2c
SHA1 hash:
b8523dee6d7e74512a05c60cc35c0fddac370252
Link:
https://www.unpac.me/results/124f7d0e-c9fa-4359-b2a6-a712a39f232d/
SH256 hash:
7916f9aeaf36a8fec95e5a5cb7372f509e6597d3b8648a636b425f382e6993f8
MD5 hash:
9f105c65050bd70378e400a18468ea23
SHA1 hash:
fc57d03c3ff916c89beaacc7f29d1080bb334cae
Link:
https://www.unpac.me/results/124f7d0e-c9fa-4359-b2a6-a712a39f232d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/239696/

Comments