MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8204d1ac916c1df101e3a4908c7231d11cfa33f2cc3524c53fb408ded548a5cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8204d1ac916c1df101e3a4908c7231d11cfa33f2cc3524c53fb408ded548a5cd
SHA3-384 hash: 5d316853318599dfa4e9f988b52dd364b4f9ab13c6f5ef285937d46713f733ca863da5656d8b5e3c435ed977bb0b0146
SHA1 hash: 81aac68feb05c0758575bd85bb1fd1ae9416da11
MD5 hash: d3849ba3b02c7432949cadc5947e8e23
humanhash: vegan-six-enemy-oscar
File name:D3849BA3B02C7432949CADC5947E8E23
Download: download sample
Signature GuLoader
Create hunting rule
File size:281'728 bytes
First seen:2022-09-27 04:26:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fd61eafe142870d6d0380163804a642 (39 x GuLoader, 6 x RemcosRAT, 4 x AgentTesla)
ssdeep 6144:ZaCoWjO3DMLOVWtvJkjW7EdV/wDcZ0tBpC4rPtneRpHv:ZaCTCwb6ijtS0tqv
TLSH T11254E1123B9B816BEEF216B849B6D6B943BCFD343A11028F33E4776ED935F146501298
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f4d4d0d2d6e4f4f0 (1 x GuLoader)
Reporter Anonymous
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-24T03:26:35Z
Valid to:2024-12-23T03:26:35Z
Serial number: 260540ab89b71bab
Thumbprint Algorithm:SHA256
Thumbprint: 4c66db723bf521df0c04fd386d4b4f7c0a8dbaba20b98414538cf77a53a394ca
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313770/
Detection(s):
SecuriteInfo.com.NSIS.Injector.BKC.17356.6259.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Delayed reading of the file
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63327b97e2ddbcc5eca6e942/reports/04ee61e5-581a-422f-9b38-d4f15304654e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fd06c966-b62f-4c88-bb1b-85a1a4a4441c
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1077985
Signature
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 710532 Sample: 7xcnQ2Jwq7.exe Startdate: 27/09/2022 Architecture: WINDOWS Score: 100 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected GuLoader 2->77 79 5 other signatures 2->79 10 mpam-42a542a2.exe 355 2->10         started        14 7xcnQ2Jwq7.exe 5 28 2->14         started        16 mpam-c40156ec.exe 7 2->16         started        18 7 other processes 2->18 process3 file4 43 C:\Windows\...\mpuxagent.dll.mui, PE32 10->43 dropped 45 C:\Windows\...\ProtectionManagement.dll.mui, PE32 10->45 dropped 47 C:\Windows\...\MpEvMsg.dll.mui, PE32 10->47 dropped 57 194 other files (none is malicious) 10->57 dropped 93 Sample is not signed and drops a device driver 10->93 20 MpSigStub.exe 14 10->20         started        49 C:\Users\user\AppData\Local\...\System.dll, PE32 14->49 dropped 95 Tries to detect Any.run 14->95 23 7xcnQ2Jwq7.exe 6 14->23         started        51 C:\Windows\ServiceProfiles\...\mpengine.dll, PE32+ 16->51 dropped 53 C:\Windows\ServiceProfiles\...\mpavdlta.vdm, PE32+ 16->53 dropped 55 C:\Windows\ServiceProfiles\...\mpavbase.vdm, PE32+ 16->55 dropped 59 3 other files (none is malicious) 16->59 dropped 26 MpSigStub.exe 1 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        signatures5 process6 dnsIp7 67 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->67 69 185.252.178.116 LVLT-10753US Germany 23->69 85 Modifies the context of a thread in another process (thread injection) 23->85 87 Tries to detect Any.run 23->87 89 Maps a DLL or memory area into another process 23->89 91 2 other signatures 23->91 32 explorer.exe 23->32 injected signatures8 process9 dnsIp10 61 172.82.172.241 QUICKPACKETUS United States 32->61 63 213.186.33.5 OVHFR France 32->63 65 8 other IPs or domains 32->65 71 System process connects to network (likely due to code injection or exploit) 32->71 36 wscript.exe 32->36         started        signatures11 process12 signatures13 81 Modifies the context of a thread in another process (thread injection) 36->81 83 Maps a DLL or memory area into another process 36->83 39 cmd.exe 36->39         started        process14 process15 41 conhost.exe 39->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8204d1ac916c1df101e3a4908c7231d11cfa33f2cc3524c53fb408ded548a5cd/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-27 04:27:08 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
4 of 26 (15.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qicndlernqo7capdusiiy4rr2eopum7szq2sjrj7wqen5vkiuxgq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220927-e234wsdfbk/
Behaviour
Enumerates physical storage devices
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5a13ad53-bfa9-45c2-a8b7-0002cedb2ce7
Unpacked files
SH256 hash:
852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5
MD5 hash:
be2621a78a13a56cf09e00dd98488360
SHA1 hash:
75f0539dc6af200a07cdb056cddddec595c6cfd2
Link:
https://www.unpac.me/results/21a344ed-534e-47e3-a9a3-c100f0604f97/
SH256 hash:
8204d1ac916c1df101e3a4908c7231d11cfa33f2cc3524c53fb408ded548a5cd
MD5 hash:
d3849ba3b02c7432949cadc5947e8e23
SHA1 hash:
81aac68feb05c0758575bd85bb1fd1ae9416da11
Link:
https://www.unpac.me/results/21a344ed-534e-47e3-a9a3-c100f0604f97/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8204d1ac916c1df101e3a4908c7231d11cfa33f2cc3524c53fb408ded548a5cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313770/

Comments