MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84aefd4d28b5549160c5e3f2a0305737cff34147cd1748d366eed38b7db17bb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84aefd4d28b5549160c5e3f2a0305737cff34147cd1748d366eed38b7db17bb8
SHA3-384 hash: cb47f7ccf533f4ea156d23ab5c51f74bd210f0e47715b6985bd1b06cc4a125b443edc55795b2d95a669f4b82d3dc61c0
SHA1 hash: 52f7fcda68b93d690ec658a93d43508d54f2ffc9
MD5 hash: 55d9f57d4be29233ac4f1749f63d87a7
humanhash: seven-fillet-lithium-three
File name:Purchase order R3G560-RA24-03 (400V).exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'036'464 bytes
First seen:2023-09-27 07:29:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 24576:cEiBpgZtRDRc27cKKe3kLPsjhzJOQbvKVe:cnaRcHKF7dJ1iVe
Threatray 1'639 similar samples on MalwareBazaar
TLSH T14425F1E3BD189CA2F879B179A42E1617E7B61CF3CE93093ABCD6FE165431947041B10A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f1f8b08a88b82c4a (4 x GuLoader)
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-23T07:08:53Z
Valid to:2026-03-22T07:08:53Z
Serial number: 675bca850d6b2e03044670eaa69627f6174a1bd8
Thumbprint Algorithm:SHA256
Thumbprint: 75a74ed702a321b05650875e81d074fab591f8319d30b6513148e4efd625ac85
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase order R3G560-RA24-03 (400V).exe
Verdict:
Suspicious activity
Analysis date:
2023-09-27 07:31:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c19ce0d7-6685-4037-b6c0-55c367b506cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451486/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.28545.29534.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Searching for the Windows task manager window
Creating a process from a recently created file
Launching a process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6513d9fb49c6a4ce497e8d54/reports/70830de3-54b1-45f1-ab22-3706e2a7f20a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/84aefd4d28b5549160c5e3f2a0305737cff34147cd1748d366eed38b7db17bb8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f79e6033-5363-4d9c-9646-dda0b1a4c656
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1315038
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1315038 Sample: Purchase_order_R3G560-RA24-... Startdate: 27/09/2023 Architecture: WINDOWS Score: 96 33 Antivirus detection for URL or domain 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected GuLoader 2->37 39 Initial sample is a PE file and has a suspicious name 2->39 8 Purchase_order_R3G560-RA24-03_(400V).exe 2 28 2->8         started        process3 file4 23 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->23 dropped 25 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 8->25 dropped 27 C:\Users\user\AppData\Local\...\BgImage.dll, PE32 8->27 dropped 29 C:\Users\user\AppData\Local\...\Banner.dll, PE32 8->29 dropped 11 powershell.exe 12 8->11         started        process5 signatures6 43 Suspicious powershell command line found 11->43 45 Very long command line found 11->45 47 Found suspicious powershell code related to unpacking or dynamic code loading 11->47 14 powershell.exe 12 11->14         started        17 conhost.exe 11->17         started        process7 signatures8 49 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->49 51 Writes to foreign memory regions 14->51 53 Tries to detect Any.run 14->53 55 Maps a DLL or memory area into another process 14->55 19 CasPol.exe 12 14->19         started        process9 dnsIp10 31 drive.google.com 142.250.191.110, 443, 49833, 49834 GOOGLEUS United States 19->31 41 Tries to detect Any.run 19->41 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84aefd4d28b5549160c5e3f2a0305737cff34147cd1748d366eed38b7db17bb8/
Threat name:
Win32.Trojan.Makoob
Create hunting rule
Status:
Malicious
First seen:
2023-09-22 12:18:12 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qsxp2tjiwvkjcygf4pzkamcxg7h7gqkhzuluru3g53jyw7nrpo4a._file
Verdict:
malicious
Similar samples:
15e3a34b2bd7ad520d87fe902eee65f35049cc5bc3579bbb5182dfb91e3fd289
GuLoader
17fd2d156ebf57091745902cc63e4652f1f50f92267efc39fc29eb5e19f50a97
GuLoader
26e297f8f4bf5837af4c8b5132598c2eed45245c4f6baf0e8c960ff2a555989e
GuLoader
30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02
GuLoader
5f6366e20fde275710415f996748edb9f1091c0b0e47bf2ddc91a59ecd90d54c
GuLoader
61878427cd1d8ae10265dc16cfa10444838db931e19429339fb5b7f44add7db4
GuLoader
8c63c1e28683c7aa90cb40df346fe1d5dbc3b2bd994cd883cd7e551518486098
GuLoader
a969522536954bf8122e7ebe679bc7d881dbb8337906cfd581aec9762f8ffb80
GuLoader
c2dbf46751c346aa33fe9d846bf934a7f880f37baee41539917e074b15ada779
GuLoader
ff2c1d0bdc27e3137837afac350c6e433e86d4523f32555b3b59de1aa0981c53
GuLoader
+ 1'629 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230927-jbs88agh3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Checks QEMU agent file
Unpacked files
SH256 hash:
8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c
MD5 hash:
1c8b2b40c642e8b5a5b3ff102796fb37
SHA1 hash:
3245f55afac50f775eb53fd6d14abb7fe523393d
Link:
https://www.unpac.me/results/5cad4eb0-9135-4533-8bc2-920b7714bba9/
SH256 hash:
c9f9cf1d69ecc1c2b2c67db4326e4d731d1493dac649f52fcb0249b014af9156
MD5 hash:
2cc79bc05c3e1b8d3fa199a38be74373
SHA1 hash:
f1b663c597b39b3a4271588894df726353dfecec
Link:
https://www.unpac.me/results/5cad4eb0-9135-4533-8bc2-920b7714bba9/
SH256 hash:
84aefd4d28b5549160c5e3f2a0305737cff34147cd1748d366eed38b7db17bb8
MD5 hash:
55d9f57d4be29233ac4f1749f63d87a7
SHA1 hash:
52f7fcda68b93d690ec658a93d43508d54f2ffc9
Link:
https://www.unpac.me/results/5cad4eb0-9135-4533-8bc2-920b7714bba9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/84aefd4d28b5549160c5e3f2a0305737cff34147cd1748d366eed38b7db17bb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 84aefd4d28b5549160c5e3f2a0305737cff34147cd1748d366eed38b7db17bb8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/451486/

Comments