MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85d8e92aabc31f9bfb79a57bd4b7a7c49f26f696915e92608ead565b0dbf61d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85d8e92aabc31f9bfb79a57bd4b7a7c49f26f696915e92608ead565b0dbf61d7
SHA3-384 hash: 232ef22d07d39a019ce9b2378a6059f0d0e7a916e98cfe20821fb2b1eb94d302db926aa9f70820cb13b0c6c0435426df
SHA1 hash: 58bd25f469df7077cdf091b17bcc150e98d9c9d3
MD5 hash: b7d46522ee8c0ffe6de6103eb3f98950
humanhash: king-helium-two-colorado
File name:b7d46522ee8c0ffe6de6103eb3f98950.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:733'960 bytes
First seen:2024-03-22 07:36:20 UTC
Last seen:2024-03-22 09:25:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f67aeda01a0484282e8c59006b0b352 (51 x GuLoader, 9 x RemcosRAT, 9 x VIPKeylogger)
ssdeep 12288:go5vFoWiZBqQsQ7NKGxfq1dj+iyEOqETzqv:gojQgQsQ7NKGxfAdj+iyEOqPv
Threatray 226 similar samples on MalwareBazaar
TLSH T139F47AFD2C247589FE39C2FA2A558934E71A2D15F41036B6627C32DBC9B988183D390F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 827169697979b1b1 (5 x GuLoader, 1 x Formbook)
Reporter abuse_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Degenerately
Issuer:Degenerately
Algorithm:sha256WithRSAEncryption
Valid from:2024-01-24T08:48:51Z
Valid to:2027-01-23T08:48:51Z
Serial number: 53ec273da8034641e4a36d7e02e27d1188e8609a
Thumbprint Algorithm:SHA256
Thumbprint: b7e59c87623941d3e89fb719bbacd9a009a4d5260045dda6cf448e860f9c3781
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
327
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://103.237.87.56/setup/bin.exe
Verdict:
Suspicious activity
Analysis date:
2024-03-22 00:06:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3f7e321d-18ab-4aa8-99f2-1de264495ab3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65fd3525b8cdeee19e6f2ac7/reports/28a1a5aa-4a83-4e29-a849-dfd80fd527df/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/85d8e92aabc31f9bfb79a57bd4b7a7c49f26f696915e92608ead565b0dbf61d7
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5554af14-8aff-4b90-aba8-adb3af832aec
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1413922
Signature
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1413922 Sample: 1No1dv4uLe.exe Startdate: 22/03/2024 Architecture: WINDOWS Score: 100 31 www.verifyierbot.xyz 2->31 33 www.eh28mf3cdv.xyz 2->33 35 25 other IPs or domains 2->35 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 57 3 other signatures 2->57 10 1No1dv4uLe.exe 7 57 2->10         started        signatures3 55 Performs DNS queries to domains with low reputation 33->55 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 10->29 dropped 13 1No1dv4uLe.exe 6 10->13         started        process6 dnsIp7 43 drive.google.com 142.250.65.238, 443, 49877 GOOGLEUS United States 13->43 45 drive.usercontent.google.com 142.250.81.225, 443, 49878 GOOGLEUS United States 13->45 69 Maps a DLL or memory area into another process 13->69 17 OhnBILoBBcQXaqqMumuFiOKI.exe 13->17 injected signatures8 process9 signatures10 47 Found direct / indirect Syscall (likely to bypass EDR) 17->47 20 finger.exe 13 17->20         started        process11 signatures12 59 Tries to steal Mail credentials (via file / registry access) 20->59 61 Tries to harvest and steal browser information (history, passwords, etc) 20->61 63 Writes to foreign memory regions 20->63 65 3 other signatures 20->65 23 OhnBILoBBcQXaqqMumuFiOKI.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.deniztemiz.fun 46.28.105.2, 49904, 49905, 49906 WEDOSCZ Czech Republic 23->37 39 xiaoyue.zhuangkou.com 47.76.88.64, 49880, 49881, 49882 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 23->39 41 14 other IPs or domains 23->41 67 Found direct / indirect Syscall (likely to bypass EDR) 23->67 signatures15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/85d8e92aabc31f9bfb79a57bd4b7a7c49f26f696915e92608ead565b0dbf61d7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85d8e92aabc31f9bfb79a57bd4b7a7c49f26f696915e92608ead565b0dbf61d7/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2024-03-22 00:15:06 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxmoskvlympzx63zuv55jn5hyspsn5uwsfpjeyeovvlfwdn7mhlq._file
Verdict:
unknown
Similar samples:
1aba3ebf5fc7d6221270fa7e13713216e06b678b197524a35d3a5cd9b1e0d857
GuLoader
73f87dc14d15addd846f2073187ac64be665ce79f618fff31c981ac95a51d288
GuLoader
75bb54e0d27dfeb0efa4680d7136307f9a82edef662e9fc3c4339b05b3fe7079
GuLoader
763d73647ce03b99fdc5a43badfe0f4571e86998395d30f8f68d8042b8c83ace
GuLoader
8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b
GuLoader
8d75ec453d1ff873f2aad8756a39f0c3ecb9addd6ba0a05e771acc9bbe0170ed
GuLoader
92e55159b6e18fb75e5aa6d39a9b37822619c9d31123894ade0f7c4544a045cb
GuLoader
b643d5ee1be492fcbfbfb4c9b9bf3da8460b74ab2097b96e6545318c92f2ee26
GuLoader
df1b0622c227d706845a398bafc28232e1a175e9595ad3a9db9fb2483834343c
GuLoader
+ 216 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/240322-jftesacb4t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
MD5 hash:
3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 hash:
fe582246792774c2c9dd15639ffa0aca90d6fd0b
Link:
https://www.unpac.me/results/47d00103-466f-4630-bb1d-e9e29134186f/
SH256 hash:
85d8e92aabc31f9bfb79a57bd4b7a7c49f26f696915e92608ead565b0dbf61d7
MD5 hash:
b7d46522ee8c0ffe6de6103eb3f98950
SHA1 hash:
58bd25f469df7077cdf091b17bcc150e98d9c9d3
Link:
https://www.unpac.me/results/47d00103-466f-4630-bb1d-e9e29134186f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85d8e92aabc3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/85d8e92aabc31f9bfb79a57bd4b7a7c49f26f696915e92608ead565b0dbf61d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 85d8e92aabc31f9bfb79a57bd4b7a7c49f26f696915e92608ead565b0dbf61d7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2789071/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments