MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b69d0fb7c60cf96272495a946d4311420aa406c477d6c85a002f487bd67531d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b69d0fb7c60cf96272495a946d4311420aa406c477d6c85a002f487bd67531d
SHA3-384 hash: 8ef30723a04a312deba3915c72226aa374bd2410c28e58d3bf0ba2c38d74764a2a64d597035632c9e64cb25a5708495f
SHA1 hash: 21cd5df22a9baa3867f982a945cda5ad233eb82c
MD5 hash: 228a21c1d3bdd03a1c3877e918913632
humanhash: london-mexico-lake-finch
File name:228a21c1d3bdd03a1c3877e918913632
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'020'168 bytes
First seen:2023-12-19 07:49:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f67aeda01a0484282e8c59006b0b352 (51 x GuLoader, 9 x RemcosRAT, 9 x VIPKeylogger)
ssdeep 24576:zo5K17MIBIV/JSI246SDM0BbyomEEgrlEaAFSIXch:zkWIIB6Rj24XDNJXrUSIXK
Threatray 20 similar samples on MalwareBazaar
TLSH T1292512523391A9F5ECB08739AC6F56B81591D0BE80AD518E6FE53F2DE03E0314A2F935
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon bcbe9ec6b6b7a6c6 (1 x GuLoader)
Reporter zbetcheckin
Tags:32 exe GuLoader signed

Code Signing Certificate

Organisation:Herligt
Issuer:Herligt
Algorithm:sha256WithRSAEncryption
Valid from:2023-07-24T04:07:49Z
Valid to:2026-07-23T04:07:49Z
Serial number: 1e30a5b29f95ba00aa3ecb1df60237601f109e1e
Thumbprint Algorithm:SHA256
Thumbprint: 4fe020fb62e7bb8b8285edcf03d960f851ea23435be78595735871bdc054d966
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Invoices.xls
Verdict:
Malicious activity
Analysis date:
2023-12-19 07:13:30 UTC
Tags:
phishing phishing-xls opendir exploit cve-2017-11882 loader stealer formbook spyware
Link:
https://app.any.run/tasks/d18ca096-82e2-4d34-a05f-85e28d465c96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468412/
Detection(s):
SecuriteInfo.com.Adware.Generic12.HOD.14374.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65814b2bb4e856b7281f757e/reports/b380adc0-5a18-4705-a895-69a702ce3fe7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/7b69d0fb7c60cf96272495a946d4311420aa406c477d6c85a002f487bd67531d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/896bc0fb-02b3-4690-9bb6-b2cc8a5c520a
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1364357
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1364357 Sample: cNF4Mtqlwc.exe Startdate: 19/12/2023 Architecture: WINDOWS Score: 100 43 www.zenithdash.xyz 2->43 45 www.ylyl.one 2->45 47 6 other IPs or domains 2->47 59 Snort IDS alert for network traffic 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 67 4 other signatures 2->67 12 cNF4Mtqlwc.exe 41 2->12         started        signatures3 65 Performs DNS queries to domains with low reputation 43->65 process4 file5 39 C:\Users\user\AppData\Local\...\nslB928.tmp, data 12->39 dropped 41 C:\Users\user\AppData\Local\...\Bridleway.Bli, data 12->41 dropped 15 powershell.exe 12 12->15         started        process6 signatures7 71 Suspicious powershell command line found 15->71 73 Very long command line found 15->73 75 Found suspicious powershell code related to unpacking or dynamic code loading 15->75 18 powershell.exe 15 15->18         started        21 conhost.exe 15->21         started        process8 signatures9 57 Writes to foreign memory regions 18->57 23 wab.exe 6 18->23         started        27 wab.exe 18->27         started        process10 dnsIp11 55 synergyinnovationgroup.com 65.60.36.22, 443, 49737 SINGLEHOP-LLCUS United States 23->55 69 Maps a DLL or memory area into another process 23->69 29 yqagdmabycHPlkJOSb.exe 23->29 injected signatures12 process13 process14 31 auditpol.exe 13 29->31         started        signatures15 77 Tries to steal Mail credentials (via file / registry access) 31->77 79 Tries to harvest and steal browser information (history, passwords, etc) 31->79 81 Writes to foreign memory regions 31->81 83 3 other signatures 31->83 34 yqagdmabycHPlkJOSb.exe 31->34 injected 37 firefox.exe 31->37         started        process16 dnsIp17 49 www.caffleoraret.cyou 109.123.121.243, 49744, 49745, 49746 UK2NET-ASGB United Kingdom 34->49 51 www.ylyl.one 154.82.81.105, 49752, 49753, 49754 ROOTNETWORKSUS Seychelles 34->51 53 3 other IPs or domains 34->53
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7b69d0fb7c60cf96272495a946d4311420aa406c477d6c85a002f487bd67531d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b69d0fb7c60cf96272495a946d4311420aa406c477d6c85a002f487bd67531d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-19 06:24:57 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
15 of 23 (65.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pnu5b634mdhzmjzeswuunvbrcqqkuqdmi56wzbnaal2ipplhkmoq._file
Verdict:
malicious
Similar samples:
0c676c2e5e20df05118d77d43abdf26828b2780b06886831a705483432b86e78
GuLoader
17a3293a002eb2a940c7face62fccf977cd1ac97714c0c77d344c6948997a4fa
GuLoader
2051138003c024d619292ea1a12d0b813946bc88d885d8a1c49478804acb2d92
GuLoader
405c6ef30357c9ef5c53787a35f2c20c3311d835eb2d15f61038005efcd19c3c
GuLoader
4ecc427abbc3efbeae4fc42d383497728056a76951f5bad56a67002406eaca66
GuLoader
b380861d3a6700f0270709b27f65394e4146f6a109512c084a71c14f69a57bfe
GuLoader
d0162a86e38114d2aeb0530bfca4d939cd4d15e5cc35d50cb64c20123f0f3204
GuLoader
e028ec06b305b12ae0084a95ff95118dfc97c1870337742446d6981951119c16
GuLoader
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231219-jn9fzaghh7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
7b69d0fb7c60cf96272495a946d4311420aa406c477d6c85a002f487bd67531d
MD5 hash:
228a21c1d3bdd03a1c3877e918913632
SHA1 hash:
21cd5df22a9baa3867f982a945cda5ad233eb82c
Link:
https://www.unpac.me/results/506f0b75-3648-4eba-ba4f-c8d909927e01/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b69d0fb7c60cf96272495a946d4311420aa406c477d6c85a002f487bd67531d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 7b69d0fb7c60cf96272495a946d4311420aa406c477d6c85a002f487bd67531d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/468412/
  
URLhaus
https://urlhaus.abuse.ch/url/2742117/

Comments


Avatar
zbet commented on 2023-12-19 07:49:46 UTC

url : hxxp://172.245.208.4/2546/wlanext.exe