MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 889fddcb57ed66c63b0b16f2be2dbd7ec0252031cad3b15dfea5411ac245ef56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 889fddcb57ed66c63b0b16f2be2dbd7ec0252031cad3b15dfea5411ac245ef56
SHA3-384 hash: 9a3c7d46d64782a3adb348d433809419188d9df34b088bd801286bd87c6e60336d0a4dc375d7fe16eba98c61457f7e7b
SHA1 hash: 182f97fea2f3832b6f9ae7a692e1ea82bce07389
MD5 hash: 6765c0e1579c19b31aeecc5470f665a2
humanhash: bulldog-mars-alabama-emma
File name:PO 0033S2.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:339'744 bytes
First seen:2023-04-21 05:48:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 6144:4jJG8HeqNH3hANxQs+5ZqSbVEwMqvvVMP5Hl4ZgQ8VgDnHIdq:V8HeEA8s+5wHIvSP5kgQ8VgDn
Threatray 627 similar samples on MalwareBazaar
TLSH T12C74121525F49467E19B07F3B6B9B232BF73EF1105986A8B63E17FB25830382891705B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon da96b371f0b2b289 (1 x GuLoader)
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-24T03:23:42Z
Valid to:2025-08-23T03:23:42Z
Serial number: 5d0b94e996e7dce1598de4b9f558b1f585e8a579
Thumbprint Algorithm:SHA256
Thumbprint: 00067b2a9a5fa8d80b67823d412f21fdf484d8fc77848dcf5d9245e02279b305
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO 0033S2.exe
Verdict:
Malicious activity
Analysis date:
2023-04-21 07:55:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9810247e-8b48-4bae-95d8-85077df482a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383875/
Detection(s):
SecuriteInfo.com.W32.Trojan.HYQY-6080.22988.5941.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Searching for the window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80740/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
buer comodo guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/644223d02eb85408cdf679ae/reports/380c83ba-7202-48ca-a4ca-ef48c96a580a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/889fddcb57ed66c63b0b16f2be2dbd7ec0252031cad3b15dfea5411ac245ef56
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5f171095-fb6e-4080-9e1f-41e0f6325ca5
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.rans.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1218423
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found potential ransomware demand text
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 851369 Sample: PO_0033S2.exe Startdate: 21/04/2023 Architecture: WINDOWS Score: 100 38 www.xn--pdotrychler-l8a.ch 2->38 40 www.turmade.top 2->40 42 28 other IPs or domains 2->42 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 7 other signatures 2->58 9 PO_0033S2.exe 4 30 2->9         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\System.dll, PE32 9->28 dropped 30 C:\Users\user\...\MapObjectParseLib.dll, PE32+ 9->30 dropped 32 C:\Users\user\AppData\...\UPX Utility.dll, PE32+ 9->32 dropped 62 Tries to detect Any.run 9->62 13 mstsc.exe 13 9->13         started        16 PO_0033S2.exe 6 9->16         started        signatures6 process7 dnsIp8 64 Tries to steal Mail credentials (via file / registry access) 13->64 66 Tries to harvest and steal browser information (history, passwords, etc) 13->66 68 Writes to foreign memory regions 13->68 76 3 other signatures 13->76 19 explorer.exe 4 1 13->19 injected 23 firefox.exe 13->23         started        34 googlehosted.l.googleusercontent.com 142.250.186.161, 443, 49790 GOOGLEUS United States 16->34 36 drive.google.com 216.58.212.174, 443, 49789 GOOGLEUS United States 16->36 70 Tries to detect Any.run 16->70 72 Maps a DLL or memory area into another process 16->72 74 Sample uses process hollowing technique 16->74 signatures9 process10 dnsIp11 44 nekosapiens.com 49.212.180.178, 49816, 49817, 49818 SAKURA-CSAKURAInternetIncJP Japan 19->44 46 kilimanjarohero.com 151.106.103.149, 49799, 49800, 49801 PLUSSERVER-ASN1DE Germany 19->46 48 17 other IPs or domains 19->48 60 System process connects to network (likely due to code injection or exploit) 19->60 25 WerFault.exe 2 23->25         started        signatures12 process13 dnsIp14 50 192.168.11.1 unknown unknown 25->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/889fddcb57ed66c63b0b16f2be2dbd7ec0252031cad3b15dfea5411ac245ef56/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-21 03:27:10 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcp53s2x5vtmmoylc3zl4ln5p3ackibrzlj3cxp6uvarvqsf55la._file
Verdict:
unknown
Similar samples:
0aca8e757450257b435be941b91b79bedc38d9b25be3a60b10a52aec61a158a8
GuLoader
47e8a43a5dfcefe4d6850764bb413ffeab6724be3a37620853b686c9fb23db34
GuLoader
629156764548d3bdbc062de11f6ad819bb0d7d166aac339b04674861df522206
GuLoader
723ff97e6559f6558c288ca693898592a21aab28c003883ca13b81667d7e3aef
GuLoader
86cdb06b975dfb24d11bf83bbe33b39b8eb49c1bb514c2d508c05ef3d9b3be01
GuLoader
c627b8bb6c4ea0cf03aa2d209d0ecc53ff9784283328dabd44c1675aef0939c2
GuLoader
d03b9ead3cfc79c7495986f26b97dbe24b0558314a4993f595c80f8817295c48
GuLoader
dc5da53a5e93a588335b6561258d1540ac7d696c633d03de92e72d8e53254234
GuLoader
e689963b4319dd5d5249ac1c629af5951f4e90db8040bf7ee33492e54c2c6487
GuLoader
+ 617 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/230421-gh1wjaed36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
b80a5cba69d1853ed5979b0ca0352437bf368a5cfb86cb4528edadd410e11352
MD5 hash:
c9473cb90d79a374b2ba6040ca16e45c
SHA1 hash:
ab95b54f12796dce57210d65f05124a6ed81234a
Detections:
win_qtbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/e378fbe4-4088-473c-88a6-bc474c671b6b/
Parent samples :
a3b81ef34ce43cb21d5ad23224a7a19fd205fcd809995a310d91b933270477f8
b8e9264670075a1f3ecd89a48c29d524f984bf00d13fa7d2267798e72db01e4e
0d4b100e641aad426a916cb326d20f8fe44e32ca38f7a85c505135036c6b44af
1a865d22fa91fe2850a66b3c99f6f69caf009402f301c52f3808ce692e80ea68
d05840831193582f5b1c4dafd24f629ef97b6d030bf52c2ff857b2488f9988f5
39867dae60a1c3269f86579dd0365d57e3bbabfafe922fc3c7000a23c3da42d8
21852b2ff6ff17e36e045883dbd5c30aabf801db69a5fed6451aaec120ad2391
775a42c95c30b536b959d3a1e1127a43880bf6d1ebdc130d7cfe6c364a767d7e
d0803e707cc54c1baede21b3e9cacd9437cfc0d2b34acd9b2de6175fb38dc205
57fa19ae98e0a1ee96b1d52b9d9d73075786ae1144c94f6877982561bd9b8ae0
844956284f698514c92b7dd3e64815fad360c362797f14eb187205e178b405e1
dcb13c4a70d6b6f7d79070f85f78c89901977a80905c481f211d1431b58625fb
6d426ec7881edccc7fff11895f9b9ea1b62a105942fdcf6690707c7e1afed2ea
29d5fb3b4927a53bfca8e03334b5720ebee7df8ba3891c9a5dce207d05741d50
916e0b95a1697b039760f0cffebd239f721ab1170b8742ca7f994fd5f2ea6aeb
7bf8d132cce5642f046935be4aa75e481a90b5dc625c90f2edde2a50e4050aa4
0372ac067b296f47ae74379e7cbbcaf2a9e9f35c9013c76ed1c6b490b9270760
206ff9790482fbcedcc240a3f94e0db6ed744311a632b344c6b0ef89bab6b262
12793dc2882c9b44c06752a4fe39161c77de6075cf859db47715b83708926e9a
7e72aa95cfd1e51971fe7dc266693fa3403c71682ac7f12050dd8b267896b58e
96f053b92d1825fe7c188503eeacc68894d653944e303aea7414abe9cfce6a9c
210e2cc9b49c52873cff318bbbb0502856e31c071dd7fe403933528c4847786f
c627b8bb6c4ea0cf03aa2d209d0ecc53ff9784283328dabd44c1675aef0939c2
889fddcb57ed66c63b0b16f2be2dbd7ec0252031cad3b15dfea5411ac245ef56
158aae7be7b74ab461bb3afcb61d9385f7122ae86c89a32b33312be7d7ce3ec3
6ac986e8a1d186735ff4116474abb8de5da5cb51c3cc980bc21c37b4cdeb7b62
8dfaec85a4a9f25fd806a2367c6ae46d270ad50497c0cc3aaa866505096f036d
7f21d669bfcadbcc424502486cb9bd10284124d3a0bfa7d9b32d4d515bad7290
be95c7a6e7d0d95cafd06db1550a4b777737f0575cc8b8fed9cba480e663d06e
51c0206152613ef75f9734773ce43f874be1566a7b95bab219dc83a7964f494d
92a4289cc31ba3c98ee7d06612207be75e31ad39bd63077e71c5d79d0f8de0f1
a7dab3836f931142e184663a55aafa2684a6e460d778dd3919329229edee297c
ae4782832ffbad77734b2b938435a05073bb4b15f1218654ea88dca421b8609a
58fd0463cf7793ad6cbd0cd048369e70f01051c943a8655b97358065f4e2b0fb
cdbba1052727bd2bcec565a5a4851c0d2b8956440fc33bea798ba3d69107706a
05f33c3d39184d80b9f56fec3c5479735b5108aafc149475afb8f504c3af746a
df58322b2a0bb94b05101e0139e92fa8fdd9b6603b3cdb4f4bf80b6353d587c1
425b691d6e0640a649374a6b7d8970629c08c9783f8be5b1b2ad1a5cb33830a9
efcc97c8dac23a0c8bc179fd3b54efd3594e71d5103f211bf468e2a6e550590e
4c392e71f22ef4fe13257964c8c84377788ba6769b7a2ae33f211f7f775ba343
bee07b4c4a6fb401181ad650b848f3bcf2eed188a057f51103d7115c3b00f419
3cadb1a7243dc6e96d39e7c378eef84ba5ee71dadab048a7cef41e59dea34bcb
03cf1ea768c3c88af9925788cf3a8923a0471432f9a63d61f8232866025bcd95
d056da5721cc045e4416722d34e460403271865a14d0ab042a3d2224a188851a
da181fbccfc1486333cb302261b5d8389c8dfd60039a8f2cd77e6849295247a6
ee548086db277e0febd2797b582a734ac451a9cd050540d2a1fd08afa6232721
88dab0ee02a70b83cb4c99ffa6e809c2789c9e1d55cdcd92454f73bf9d5effa4
863da396800cfdb42428375c45dce9778798ec4669420f00561b8654aa25ee09
3aed3ef42a227f0f1f29297ceb59e0edab0da065a0b9c7894e113fb16fd55849
7bec152e6ebe8d516418fd4ad7c46211577c8841bce146a3e57d7b8eafa6e036
eff489021938676772403ab4151f39c6c52723b5053f1e3efe57b7bdc96e46a7
c2c1f25688e42a7cf6e8ec33ef1347abd6031f97c996555e0fe3df6e717fcb43
396d28268cee1176f329d930c041236fbb6085f568381ecdc386d3d436ddcba5
d40f43dfe57ebd99e557968a04bcf24f1fd1b8bdd6a4075fed1c738eb1a6d687
249a6e00e51f37da8a605d0a1b1e6a4d74d0a26210a7da06669b2341fd508c1a
40e40c04f4357fec11cb9037a802efbe582a4ac64e215909f2c7770475e5a252
f3ada7301c065037d6603cbef927a3826146f7809c425a3eaba03dcba06fd160
93302a0addf5fabc6e62aad8f4f1a14f75075a3a73970ad65717233a3844ab8e
2f9ceb5c16492fe780bafa6e4902ad28de4ef9588a8278adf36d62b1f563649b
7501179eedf19e9b094ed763b880f4673998ecef6d8b4732985d04ee0ef1ea1e
992f3f674ce6a165ef8aa64d52920eafb0466d40ad2e1081b813f3e55ae1305e
0a0aee862a220ef9b3c5930319ab048750c71d6a8c24397006220c04627006a4
8cfd52086a003a044c83a4c5467084b96fcfb25a042ad34f0f4176fcadcee6f9
e86c8b3bc2b1ad4ab8ff8c84cb8eff8a845a684ae13f838afd9148ebe1fdf3ee
cbd5559355a11f01b086790bef3b629d4b7fa642adc077e13f0829b9c28f2810
1e8562d47b5f32ebf2e36d61906d2c981f166968f496f8b9b2c917c80a5d5ba5
93ed7e400500fb1e4be9421400e42ddab0b5cac500929f28bab9fee0c8afea00
1318b406aebb8aaa85c86870409f2ea28dc40898afc2fc9ec84a9033f54541d9
8349d0c4d9914eeb0d1619a23d5bfe062d00f94e64883483d12b0054d27ac376
9c23bf8227f31da7ef679f4baf41239dd7774df662cf4d78f4b8b3de88981776
8fd2d9faf25aba59789745ef7ff598c4394240738712b25286bb887d1c963c0c
8749c26002857510a8faf45fe42730aaa48bd73cc7f99fd181e776b383729f36
72ffc82b01f8ac87e36ff179df7806f66601c65c60f477b9bbcd2cbbd812dc92
c828cbb41945322c3294bd70c8c6423ae001604c3fa725422d0de59dd7e653b7
d1408bd2517c4e2119fff02159563cab8944db221e1e0b4cc988dbf093f0a6c7
deb27dd84a5d2550f12fa743d1e1993e2f5b98305a35fb55e5bef5d0dfa98c3f
c551230f0d09e43c5a1ae8e1f33f057a6ce56a7d81c32b495900ec0a85c53bee
a30ab0ac4a47342d8bcaf60d8b29444869bde081d06ef00848dee3cd80d80b44
28ed00126e488ec8987bc7d0466a45d6b023c239ca816a3b9b387abb10a3bf3e
a964ece7aad2f454cb18516ab65ffcd35aa90574a7801492d5571969dacd7740
79892ac57af9846e3b718c7388c205438a9d0706a597b67638105d8b5572256d
fa71bbc6871f13271d6fae0f9a16dcb44961e7c9730baa8efb86999f06ea7105
20386f6d4e80e1f8ab6b7b32ada778e092c30096cdffdeeaf9a120274855ace2
fd087e17a8ade4ce303d86d6ebbf5b5fec4e8eae903ffea3787bb5384c1c3841
d80fc0ab17aed47dc4c1b7ec32991af6d0e600f12b1c04f40ee7b9c962fa789d
c77a8fafae3b0db31b7dc09f21dc5ef908ade8a564a5c25006ee172500dc0737
8a0874a8540772c03d595653af7bd80011589d4944705541c4c5a60c11f27b1a
dc0be6bc041c8bfd6a76d19650cd738cd322deff6c2bd8677ebf89e4bf0c5b0b
8dde83a4df8de1f092cf5eccbd7f598c9a7d08db43589a683567bda919f6e221
5dca93e324db82758adb6519abd65e2712bb69c267730bda6d6bf9646544a947
c0c23f16dae769ddb46296c20c1db31aa99cd619caac9746e3aacd7583f6fe7a
bc83afa7e3564443fe60cabef35c5107905f739a08bb8cacdbba54d12473104c
811034767a7927426039c1ec8f3698fa0107b7d7d90716f7a6fe32558d7857e1
4ae9a3bb0ce86b451dbac20d17d39958f2d9ee386d5f1fe63aea27a88355eb7c
9f276f8da95a8bfc18d4640880f8815734bb150b1a75f030be587ca863c19a74
4b7d1b8ea4216a534fd58d14e57d896be794d15ac910ff2b3c31a9762fdb6923
335f5cd155653a07ee6eee171f272c7e02bd22065b1dd856c23206a00ab9a4e5
cb003e07b2f6b1286333fedb15c3e15389c8faa917c082fb04ede40a065ee55c
9345ae44b7e5e1a78088458c78eec3b6f511f2ddbdc0f31a694c413835b0eb12
21dc118af9730d6f93bba477a5dcb12589aabbce66bf668048ed3486c1d1a076
e749a67d92bf775f6337e3d0324f8208ac9c35f994f758a965dd0602b81a36e1
e15efe6abb3771d3bc76e8df6a9208035a5f741c5e8ea4381b48a1cf61d23e7d
bde5a7b95d5a6fd6a05e8ff2e53e2d15efcf2394e58e10889e4de7699eee3a8e
7ccbbb770d396d32ffa75df046707624fe6a6a53e4425225ccb76e113ef5d971
af32fd03c68a4ef6768979d866dbda9d1c6fa4d52ef35b548b3e1084f263c886
8085c17ea9441ff19ee1d021408ce2b159bdf4d53704a9afd180e76033c74415
0c3b34493099cbbfbf51b25a4befe93e8d1b92008884500f91c66e2bd00dee1f
2fba62d26b23162edc673374335d575688b00d1467d936618793d28ec3729ad6
5249ac3848e42ac5264815414a321bfa6a698970ff8ffea1dd1d0a4e070b0224
afc267c3ffaabe39ef93d02d784d6efffefdec0aaf55a3aa5af75b61e874b8f5
736c7e43912f503e8c2a91a5f64c95ee3f1f817d20acbb306fba3eb9b83ba24b
f6469663f0a38647f54764309023eefa956a37e381b7b6fabe2882b75464bd8b
SH256 hash:
889fddcb57ed66c63b0b16f2be2dbd7ec0252031cad3b15dfea5411ac245ef56
MD5 hash:
6765c0e1579c19b31aeecc5470f665a2
SHA1 hash:
182f97fea2f3832b6f9ae7a692e1ea82bce07389
Link:
https://www.unpac.me/results/e378fbe4-4088-473c-88a6-bc474c671b6b/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/889fddcb57ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/889fddcb57ed66c63b0b16f2be2dbd7ec0252031cad3b15dfea5411ac245ef56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 889fddcb57ed66c63b0b16f2be2dbd7ec0252031cad3b15dfea5411ac245ef56

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383875/

Comments