MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7af525c73aaddfe3f532acc545ee8044bae61fff536cffe4db15edf5b5e92454. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7af525c73aaddfe3f532acc545ee8044bae61fff536cffe4db15edf5b5e92454
SHA3-384 hash: 40f3e5d2fe18ff6b390ec57f93aa0504719b1f96f6bec733722d215d450987a3c538a6742f73ef45699a5885f323e926
SHA1 hash: fffaea32c7e1c83e96fc8d195d78e03029a133ec
MD5 hash: 39022eff0b28bdfe77897a0fc5ff4920
humanhash: single-september-neptune-wyoming
File name:rIMG-2023010_WAAa646737kendelsesordniGenicular.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:315'737 bytes
First seen:2023-10-23 23:29:47 UTC
Last seen:2023-10-24 10:30:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f91aceea750f765ef2ba5d9988e6a00 (45 x GuLoader, 7 x Loki, 7 x RemcosRAT)
ssdeep 6144:QMrudbcDdgFhMYFKLy6EQSXL0tLJj99VoftBbxSeTXnUwU2:QfHB+ZSXL0RJJeTxSIXnA2
Threatray 2'793 similar samples on MalwareBazaar
TLSH T147641297AAD198E3EDDB29740D36B7D3B3B7EE0E5410861BA768BC474C01285CD342DA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter FXOLabs
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
329
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rIMG-2023010_WAAa646737kendelsesordniGenicular.exe
Verdict:
Malicious activity
Analysis date:
2023-10-23 23:32:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/976c1761-25ea-47dd-85b8-1050df1e56a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455780/
Detection(s):
SecuriteInfo.com.Trojan.NSIS.Injector.11640.24721.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/653701fb2b74b3f20dd8e8f3/reports/ebaed5ef-b727-4622-9c42-fa66499daf6d/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7af525c73aaddfe3f532acc545ee8044bae61fff536cffe4db15edf5b5e92454
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2f05722b-0853-4436-ac80-87c07cfdc26b
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1330898
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Found malware configuration
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1330898 Sample: rIMG-2023010_WAAa646737kend... Startdate: 24/10/2023 Architecture: WINDOWS Score: 100 30 unif-pid.com 2->30 32 geoplugin.net 2->32 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Antivirus detection for URL or domain 2->50 52 8 other signatures 2->52 8 rIMG-2023010_WAAa646737kendelsesordniGenicular.exe 3 51 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\System.dll, PE32 8->24 dropped 54 Writes to foreign memory regions 8->54 56 Maps a DLL or memory area into another process 8->56 12 wab.exe 4 17 8->12         started        signatures6 process7 dnsIp8 34 unif-pid.com 54.37.178.173, 50098, 50099, 80 OVHFR France 12->34 36 95.214.24.210, 2404, 50100, 50101 CMCSUS Germany 12->36 38 geoplugin.net 178.237.33.50, 50102, 80 ATOM86-ASATOM86NL Netherlands 12->38 26 C:\Users\user\AppData\...\Tekstureredes.exe, PE32 12->26 dropped 28 C:\Users\user\AppData\Roaming\ourytgbh.dat, data 12->28 dropped 58 Maps a DLL or memory area into another process 12->58 60 Installs a global keyboard hook 12->60 17 wab.exe 1 12->17         started        20 wab.exe 1 12->20         started        22 wab.exe 2 12->22         started        file9 signatures10 process11 signatures12 40 Tries to steal Instant Messenger accounts or passwords 17->40 42 Tries to harvest and steal browser information (history, passwords, etc) 17->42 44 Tries to steal Mail credentials (via file / registry access) 20->44
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7af525c73aaddfe3f532acc545ee8044bae61fff536cffe4db15edf5b5e92454
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7af525c73aaddfe3f532acc545ee8044bae61fff536cffe4db15edf5b5e92454/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-23 21:53:30 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
13 of 37 (35.14%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pl2slrz2vxp6h5jsvtcul3uais5omh77knwp7zg3cxw7lnpjerka._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
0dde47d0905eb44af2fe7b3604c88ceb170b977312730dabd17a96de610a33b6
GuLoader
456f09b71ed09cbc590f6a3b8d5aacc7f0fb94521d8b19b80d2a201e5f73b5a0
GuLoader
4a30f84c5fc555603a11244bf58e1a01bacfc09047068f942d48d674a1375c6d
GuLoader
67334009d5d6fb492333a8d6a850b2c464654aaaf96ddeef125129af29ea3d66
GuLoader
6ffc449d97006b9987f99a15ec84d872688d8bff9826d25cac9b4ece3d7e815a
GuLoader
75b6aa1e75a213e7d4184249f86f3b8c4770ea2443ae77e7e6c4f499636b6f71
GuLoader
b2823172397c389e1ff948bd03473193ed8527eb19edff06cbb16e2b43ebc19f
GuLoader
b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f
GuLoader
bad6dc695ec91155fbf548d43e3039c1b694db28c1a713b81ecc2d59674635cb
GuLoader
fc38656ef9f0487f431fc7e32fd39213ebeefc9ca0728fe04d160cce657d5af4
GuLoader
+ 2'783 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:xworm downloader persistence rat trojan
Link:
https://tria.ge/reports/231023-3g5c8aag57/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Detect Xworm Payload
Guloader,Cloudeye
Xworm
Unpacked files
SH256 hash:
f917aef484d1fbb4d723b2e2d3045cb6f5f664e61fbb3d5c577bd1c215de55d9
MD5 hash:
d6f54d2cefdf58836805796f55bfc846
SHA1 hash:
b980addc1a755b968dd5799179d3b4f1c2de9d2d
Link:
https://www.unpac.me/results/fe7a3d5e-01ca-469c-a7fd-4e53320a7035/
SH256 hash:
7af525c73aaddfe3f532acc545ee8044bae61fff536cffe4db15edf5b5e92454
MD5 hash:
39022eff0b28bdfe77897a0fc5ff4920
SHA1 hash:
fffaea32c7e1c83e96fc8d195d78e03029a133ec
Link:
https://www.unpac.me/results/fe7a3d5e-01ca-469c-a7fd-4e53320a7035/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7af525c73aad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7af525c73aaddfe3f532acc545ee8044bae61fff536cffe4db15edf5b5e92454

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 7af525c73aaddfe3f532acc545ee8044bae61fff536cffe4db15edf5b5e92454

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/455780/

Comments