MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b7c066f031d5021b3ce30236a545cfea9736fded345e10d3380dd5c89447417. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b7c066f031d5021b3ce30236a545cfea9736fded345e10d3380dd5c89447417
SHA3-384 hash: 180c66fbf7f464aa696a3623bd3d2cc6fd2735ac8036572d1d3ca26269e27e7f6b6e4f622858b9bb720e288dc02f48af
SHA1 hash: d179abb23500cd76c7ce155733c082d8811feab6
MD5 hash: 178054024878d411de7201b70372f719
humanhash: alabama-west-bakerloo-nineteen
File name:Levoversion.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:761'056 bytes
First seen:2024-02-20 14:02:24 UTC
Last seen:2024-02-20 19:17:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 12288:7GjjmLOEaDtYhttRWcxZOGc05EoSQ6BoXXpcFLApUXgO3K3:0SLOLD6htPW6Zzc0CxQ6BoXdyPi
TLSH T128F412A02645E9A7CBB1C0718BB7C2B38769D6B82D54232312C13FAF3872955E85E17D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter James_inthe_box
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Damasking
Issuer:Damasking
Algorithm:sha256WithRSAEncryption
Valid from:2023-07-07T00:41:00Z
Valid to:2026-07-06T00:41:00Z
Serial number: 312136edfb1d6e746f5ea0a01aced604946af78d
Thumbprint Algorithm:SHA256
Thumbprint: 52d58ff57dbaeaea8d63c0f957af80f4dec6f0657ea8fad5c38f62e2e6d3a3c3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
329
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477066/
Detection(s):
SecuriteInfo.com.Troj.Inject-EAO.957.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65d4b15726f1ddc579a20d4c/reports/1982fa77-b725-48f9-97a6-335f079dfdeb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/7b7c066f031d5021b3ce30236a545cfea9736fded345e10d3380dd5c89447417
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53ee3fb5-8257-494e-87fa-ca018727ddbe
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1395305
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell drops PE file
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1395305 Sample: Levoversion.exe Startdate: 20/02/2024 Architecture: WINDOWS Score: 72 29 Antivirus detection for URL or domain 2->29 31 Yara detected GuLoader 2->31 33 Sigma detected: Suspicious Script Execution From Temp Folder 2->33 7 Levoversion.exe 3 30 2->7         started        process3 file4 23 C:\Users\user\AppData\...\Blindflyvning.Lan, ASCII 7->23 dropped 25 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->25 dropped 35 Suspicious powershell command line found 7->35 11 powershell.exe 18 7->11         started        signatures5 process6 file7 27 C:\Users\user\AppData\Local\...xsuction.exe, PE32 11->27 dropped 37 Found suspicious powershell code related to unpacking or dynamic code loading 11->37 39 Powershell drops PE file 11->39 15 SIHClient.exe 6 11->15         started        17 conhost.exe 11->17         started        19 Exsuction.exe 11->19         started        21 36 other processes 11->21 signatures8 process9
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7b7c066f031d5021b3ce30236a545cfea9736fded345e10d3380dd5c89447417
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b7c066f031d5021b3ce30236a545cfea9736fded345e10d3380dd5c89447417/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-20 12:21:52 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pn6am3yddvicdm6ogarwuvc472uxg3662nc6cdjtqdovzckeoqlq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/240220-rcnn5ahh52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
e7b145abc7c519e6bd91dc06b7b83d1e73735ac1ac37d30a7889840a6eed38fc
MD5 hash:
50ba20cad29399e2db9fa75a1324bd1d
SHA1 hash:
3850634bb15a112623222972ef554c8d1eca16f4
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/518c586a-9c6f-44e7-82a1-beb6032220ac/
Parent samples :
44dc55275444f583d81f224be2172d1468ca7901032329ad2210a3b7abfaf80e
b3a1509f77da1f09f79e2d0d6b6c6938db01f8ec67fa6adcf992eeb5b6b8698a
6a3648d9ef381db17f71b6e13ed8006fd12069183e2824b455a170afc64fa0ba
7b7c066f031d5021b3ce30236a545cfea9736fded345e10d3380dd5c89447417
145c299180fb1556c843a944b33f57c933382c801906a9b7ce3f59f7028b0409
SH256 hash:
4bf14031eb0460e4e8234ef1157d8a254354504ced37f86fdbb1644ed45302c0
MD5 hash:
a4e21a6c9cde2319a1d2dc7335229e47
SHA1 hash:
141082e43fd1bbe6e5ac022dd4074b6c9e7a23d4
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/518c586a-9c6f-44e7-82a1-beb6032220ac/
Parent samples :
44dc55275444f583d81f224be2172d1468ca7901032329ad2210a3b7abfaf80e
b3a1509f77da1f09f79e2d0d6b6c6938db01f8ec67fa6adcf992eeb5b6b8698a
6a3648d9ef381db17f71b6e13ed8006fd12069183e2824b455a170afc64fa0ba
7b7c066f031d5021b3ce30236a545cfea9736fded345e10d3380dd5c89447417
145c299180fb1556c843a944b33f57c933382c801906a9b7ce3f59f7028b0409
SH256 hash:
7b7c066f031d5021b3ce30236a545cfea9736fded345e10d3380dd5c89447417
MD5 hash:
178054024878d411de7201b70372f719
SHA1 hash:
d179abb23500cd76c7ce155733c082d8811feab6
Link:
https://www.unpac.me/results/518c586a-9c6f-44e7-82a1-beb6032220ac/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7b7c066f031d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b7c066f031d5021b3ce30236a545cfea9736fded345e10d3380dd5c89447417

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/477066/

Comments