MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83104e0cf5b8f50ec9724e7a27ba87ef39ecbfd81d4f456d42b7fd06fd9c28e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83104e0cf5b8f50ec9724e7a27ba87ef39ecbfd81d4f456d42b7fd06fd9c28e9
SHA3-384 hash: 4d3a7c56f15a8bbb04679679d23b69d206f4ce989ac730921082c0b801df01e40a282ca4c0787cd2231c8c839ee0e22c
SHA1 hash: 623c6e347b5ebb0c788fc0a4bf39e6a6e690b1e9
MD5 hash: 892c52f192cb1905afbf9f09d8c1bf38
humanhash: island-lion-six-pennsylvania
File name:Ziraat Bankasi Swift Mesaji.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:303'073 bytes
First seen:2023-03-27 10:29:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f0c714c36e6cc016b3a1f4bc86559e4 (199 x GuLoader, 14 x Formbook, 4 x AgentTesla)
ssdeep 6144:H6+/tVm/dXDf5kRHVUUTbPQYO4BevqKe2u4Mw2t10uqVrYT4YezDMloPLbQX:Pnm/BDf58VUUoYTFKe7pbqlYT4YeGA8X
Threatray 951 similar samples on MalwareBazaar
TLSH T15554121B24A8C4B7C9E287351F7E0FA5DEF5CE6470642B8B3B013596B63BA80515B3D2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe geo GuLoader TUR ZiraatBank


Avatar
abuse_ch
Payload URL:
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
Ziraat Bankasi Swift Mesaji.exe
Verdict:
Malicious activity
Analysis date:
2023-03-27 10:37:31 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/6efa5ec6-73db-4d0a-88a8-afb9e75cba1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/377855/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Creating a file in the %AppData% directory
Delayed reading of the file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/75187/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
buer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6421702d1ea3e0e897d670a9/reports/a2ab3d90-e9c3-4de0-be81-72ccc5174376/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/83104e0cf5b8f50ec9724e7a27ba87ef39ecbfd81d4f456d42b7fd06fd9c28e9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4aead10a-e18d-46e1-82b3-37b0dec69c69
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.rans
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1202588
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found potential ransomware demand text
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 835494 Sample: Ziraat_Bankasi_Swift_Mesaji.exe Startdate: 27/03/2023 Architecture: WINDOWS Score: 100 34 www.textare.net 2->34 36 www.peterslawonline.com 2->36 38 25 other IPs or domains 2->38 56 Snort IDS alert for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 7 other signatures 2->62 11 Ziraat_Bankasi_Swift_Mesaji.exe 5 57 2->11         started        signatures3 process4 file5 30 C:\Users\user\...\MapiProxy_InUse.dll, PE32 11->30 dropped 32 C:\Users\user\AppData\Local\...\System.dll, PE32 11->32 dropped 70 Tries to detect Any.run 11->70 15 Ziraat_Bankasi_Swift_Mesaji.exe 6 11->15         started        signatures6 process7 dnsIp8 46 34.138.169.8, 49838, 80 ATGS-MMD-ASUS United States 15->46 48 Modifies the context of a thread in another process (thread injection) 15->48 50 Tries to detect Any.run 15->50 52 Maps a DLL or memory area into another process 15->52 54 2 other signatures 15->54 19 explorer.exe 4 1 15->19 injected signatures9 process10 dnsIp11 40 www.credit-cards-54889.com 185.53.179.91, 49859, 80 TEAMINTERNET-ASDE Germany 19->40 42 www.laxmi.digital 213.186.33.5, 49862, 80 OVHFR France 19->42 44 13 other IPs or domains 19->44 64 System process connects to network (likely due to code injection or exploit) 19->64 23 explorer.exe 19->23         started        signatures12 process13 signatures14 66 Modifies the context of a thread in another process (thread injection) 23->66 68 Maps a DLL or memory area into another process 23->68 26 cmd.exe 1 23->26         started        process15 process16 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83104e0cf5b8f50ec9724e7a27ba87ef39ecbfd81d4f456d42b7fd06fd9c28e9/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2023-03-27 06:56:25 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qmie4dhvxd2q5slsjz5cpouh5446zp6ydvhuk3kcw76qn7m4fduq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
03a84155093ab32f570220991ff8f30d65fa048544c4e0fd95038c730be6cec4
GuLoader
06243274174960778e1adac528d0c2641cf742fa2ba0759c9fe762f7a0692aff
GuLoader
41618cb3eabd9750fa776f31b8117e4025fd3d03af5e30d62100d84ce8101406
GuLoader
41ceb21d5f34451ddc166d2891c03c3af37ac0f2a055f5e274948b14c0f5a187
GuLoader
70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0
GuLoader
73bcee0620ede9e4e5675dea10df5d23b0fb1f8626bb048202389321df4b5538
GuLoader
856c3482c119fdecb777d14ef351c90a24a045cf8da8cafbb2d229619cb11bbf
GuLoader
8770f9d32f3b5b26267d6320c355f576df3d09e49d58e50ac16d044f4cf2cf54
GuLoader
9d6e3e7c289c554340dbbe1d6d6962c0f516325ec801e841814c676a936e9fc9
GuLoader
c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415
GuLoader
+ 941 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:mi94 discovery downloader rat spyware stealer trojan
Link:
https://tria.ge/reports/230327-mja96ada32/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks QEMU agent file
Deletes itself
Loads dropped DLL
Formbook payload
Formbook
Guloader,Cloudeye
Unpacked files
SH256 hash:
8431038312b6147d873c93739ab0f568ed1d350a8edcbdbd042458900e4ec4e4
MD5 hash:
8b388c556104d348b9d08b6fc159dd38
SHA1 hash:
aac9a65c956212308fdc8d020c67724723d12f72
Link:
https://www.unpac.me/results/251d6676-f67c-426a-b0a2-0eabf12992d6/
SH256 hash:
83104e0cf5b8f50ec9724e7a27ba87ef39ecbfd81d4f456d42b7fd06fd9c28e9
MD5 hash:
892c52f192cb1905afbf9f09d8c1bf38
SHA1 hash:
623c6e347b5ebb0c788fc0a4bf39e6a6e690b1e9
Link:
https://www.unpac.me/results/251d6676-f67c-426a-b0a2-0eabf12992d6/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/83104e0cf5b8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/83104e0cf5b8f50ec9724e7a27ba87ef39ecbfd81d4f456d42b7fd06fd9c28e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 83104e0cf5b8f50ec9724e7a27ba87ef39ecbfd81d4f456d42b7fd06fd9c28e9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2581269/
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/377855/

Comments