MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f6af80f59437303f1f0282e798c57619cc1c013cb08c66810595952558fdcc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f6af80f59437303f1f0282e798c57619cc1c013cb08c66810595952558fdcc9
SHA3-384 hash: 1a014f17eea1ef27468197749ff8b21f4c1f3b61cfd65ab09b44f82d80338f678a5d0cdf17e337455f4c5fa7bc142b3f
SHA1 hash: 49ad46d2e9c9d192d724a93c10f3dee6a4ceb437
MD5 hash: acdff95b807857e09b16365ec75fe756
humanhash: mexico-shade-twenty-mississippi
File name:Invoices.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:535'440 bytes
First seen:2023-12-14 07:24:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e221f4f7d36469d53810a4b5f9fc8966 (118 x GuLoader, 28 x RemcosRAT, 21 x Formbook)
ssdeep 12288:tlvcllopsALNMiipb+nDHAj5b+EgOIz+5/dGU62gr4XlPZHwsEL2G7E:WzyNMiiV+n0j5b+gR6/StZHARE
Threatray 169 similar samples on MalwareBazaar
TLSH T164B42392FAC04ED2F166437A5E73BE6A62A3EE3524717B2F0B1572265E331C3442950B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8253f5f5f5f5f5d5 (1 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Invoices.xls
Verdict:
Malicious activity
Analysis date:
2023-12-14 08:06:55 UTC
Tags:
opendir exploit cve-2017-11882 loader formbook xloader stealer spyware
Link:
https://app.any.run/tasks/2773e394-6e76-47a8-b25f-603630533d04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467396/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Launching a process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/657aad9d855eb2633d6903bc/reports/a2c42b5e-1552-48ad-8abb-51d4750e1425/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/7f6af80f59437303f1f0282e798c57619cc1c013cb08c66810595952558fdcc9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ae40081-e5e0-4e38-b1b1-aa01ec112a96
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1361973
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1361973 Sample: Invoices.exe Startdate: 14/12/2023 Architecture: WINDOWS Score: 100 45 www.weber-e-store.com 2->45 47 www.rezzla.com 2->47 49 6 other IPs or domains 2->49 67 Snort IDS alert for network traffic 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 5 other signatures 2->73 12 Invoices.exe 28 2->12         started        15 wab.exe 1 2->15         started        17 wab.exe 3 1 2->17         started        signatures3 process4 file5 41 C:\Users\user\AppData\Roaming\...\Systole.Dup, data 12->41 dropped 43 C:\Users\user\AppData\Local\...\nsjA1C6.tmp, data 12->43 dropped 19 powershell.exe 12 12->19         started        process6 signatures7 75 Suspicious powershell command line found 19->75 77 Very long command line found 19->77 79 Found suspicious powershell code related to unpacking or dynamic code loading 19->79 22 powershell.exe 14 19->22         started        25 conhost.exe 19->25         started        process8 signatures9 81 Writes to foreign memory regions 22->81 27 wab.exe 6 22->27         started        process10 dnsIp11 57 lemartinez.za.com 50.115.174.254, 443, 49708 VIRPUS United States 27->57 83 Maps a DLL or memory area into another process 27->83 31 kiXzVMdwEdkZruoxmLIGT.exe 27->31 injected signatures12 process13 process14 33 verclsid.exe 1 13 31->33         started        signatures15 59 Tries to steal Mail credentials (via file / registry access) 33->59 61 Tries to harvest and steal browser information (history, passwords, etc) 33->61 63 Writes to foreign memory regions 33->63 65 3 other signatures 33->65 36 kiXzVMdwEdkZruoxmLIGT.exe 33->36 injected 39 firefox.exe 33->39         started        process16 dnsIp17 51 www.weber-e-store.com 91.195.240.117, 49710, 80 SEDO-ASDE Germany 36->51 53 massiliapousse.com 109.234.161.150, 49715, 49716, 49717 O2SWITCHFR France 36->53 55 2 other IPs or domains 36->55
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7f6af80f59437303f1f0282e798c57619cc1c013cb08c66810595952558fdcc9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f6af80f59437303f1f0282e798c57619cc1c013cb08c66810595952558fdcc9/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-14 06:19:34 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p5vpqd2zinzqh4pqfaxhtdcxmgomdqatzmemm2aqlfmvevmp3teq._file
Verdict:
malicious
Similar samples:
3e3ac1d0d519e933394b3c728713b102b9ca63d57bc2427591f4fccf0c9c012a
GuLoader
3ea69a1a0c5cc196a71ab1d7754abe0683813ff321d59d731bb72d2d3d076f3f
GuLoader
4166ad5cb4dc5c1a94846632840494ae95cb1677130a11443889af9a9c44e8e7
GuLoader
95db9ea9df83185a3ab4cdcdac19f62ebf64daaf94ce2ba1f77677bcb361ba9e
GuLoader
9cdf9666a5b359975ad0d1fff59120ff2d7aeeaf2b6491d528a815c6bc582e5d
GuLoader
c17b3e778d12a1b353c665515c1de44df04d6172f0448b62c9cf6dd9e44bb6ca
GuLoader
c5444c85b810f99e008f31b9ea1b1a128df74044cacf326c27fe1937f5b45fdb
GuLoader
e14808468255a0635af33c8889be55caa22ee2bab8cf8da21d76882ef7f36317
GuLoader
fd587ce57f6dd70465fd3d9e6115cfb866baae9ed94993d17191a50f76570eb4
GuLoader
+ 159 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader persistence
Link:
https://tria.ge/reports/231214-h8eawscbcn/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Adds policy Run key to start application
Guloader,Cloudeye
Unpacked files
SH256 hash:
7f6af80f59437303f1f0282e798c57619cc1c013cb08c66810595952558fdcc9
MD5 hash:
acdff95b807857e09b16365ec75fe756
SHA1 hash:
49ad46d2e9c9d192d724a93c10f3dee6a4ceb437
Link:
https://www.unpac.me/results/2a31fdd4-894e-47e3-b078-20b616b9f0dd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f6af80f5943/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f6af80f59437303f1f0282e798c57619cc1c013cb08c66810595952558fdcc9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 7f6af80f59437303f1f0282e798c57619cc1c013cb08c66810595952558fdcc9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/467396/

Comments