MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90f4f826353051e2f4d26f43553e77312a00e6f4b05f1fa60b0d514d5d2fe895. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90f4f826353051e2f4d26f43553e77312a00e6f4b05f1fa60b0d514d5d2fe895
SHA3-384 hash: 59be6d8c617e1741f7516d6c5479d813647b308e67a96de8273fddbc2f130c42f26a3ac561a68c5e9c87f35e8273d750
SHA1 hash: 8deb6c132454ea8c96d22f7084c53666ea8a00f3
MD5 hash: b3d9364f55be3c17f33a68480e1a6547
humanhash: aspen-coffee-jupiter-beryllium
File name:Purchase Order 1021234.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'200'800 bytes
First seen:2023-10-26 16:06:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 66fcdd6338ffed276966867e7cf86116 (9 x GuLoader, 2 x AgentTesla, 2 x RemcosRAT)
ssdeep 24576:4NBKovR2t6WTPNgGhBYC1Lm7tYZOqjTtgZDTENIHacheumD:ME2RglgGdcihj5gh6I6oeumD
Threatray 74 similar samples on MalwareBazaar
TLSH T13A453325FBD4CCC6E16704B061F87D2EAAA6BC005036D757BB5C78DA6C703AE0A1B749
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8c9ca6e3f193d06c (1 x GuLoader)
Reporter cocaman
Tags:exe GuLoader scr signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-06-01T10:45:53Z
Valid to:2026-05-31T10:45:53Z
Serial number: 6daf5be3447bfd208aca0e9c6ac19649f62d5c30
Thumbprint Algorithm:SHA256
Thumbprint: 3605c41ddc69aadf9570db2b6a9f1ffc0a91b81f07837612a5fd08c55b4c5a28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456573/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.16251.4718.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Creating a file
Delayed reading of the file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/653a8ea8bc703e36b08ee584/reports/3566f325-b5e2-4a78-a319-fa4fd1e0f8c4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/90f4f826353051e2f4d26f43553e77312a00e6f4b05f1fa60b0d514d5d2fe895
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d72eb619-215b-42cf-9186-a0ae8f1985ba
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1332812
Signature
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/90f4f826353051e2f4d26f43553e77312a00e6f4b05f1fa60b0d514d5d2fe895
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90f4f826353051e2f4d26f43553e77312a00e6f4b05f1fa60b0d514d5d2fe895/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sd2pqjrvgbi6f5gsn5bvkptxgevabzxuwbpr7jqlbviu2xjp5ckq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
152acaebcc2ede3d62e20ff008beb789c05490dff5af71854d98bb55ffbcea73
GuLoader
4156f1bd9f23e8d19b26225f373b4d76e0088fcadb14b59fbe791d11127795e7
GuLoader
44b7dfcb3fee43eb6de84138c06b2fde701eac3521328c4c861cb64a5a44e429
GuLoader
+ 64 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/231026-tkmg5sda6z/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
2d14e82ace016d0f0ee4fe29df6503955f6a77f3e705424427c1555411539a0e
MD5 hash:
61429bf00b8e34bd54c813bd2f5d09b9
SHA1 hash:
6b04e40ea730fe7e19f9b93ce2a76108f91910aa
Link:
https://www.unpac.me/results/f46c6109-85d0-4ea5-b32f-43b50e3a3836/
SH256 hash:
90f4f826353051e2f4d26f43553e77312a00e6f4b05f1fa60b0d514d5d2fe895
MD5 hash:
b3d9364f55be3c17f33a68480e1a6547
SHA1 hash:
8deb6c132454ea8c96d22f7084c53666ea8a00f3
Link:
https://www.unpac.me/results/f46c6109-85d0-4ea5-b32f-43b50e3a3836/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/90f4f826353051e2f4d26f43553e77312a00e6f4b05f1fa60b0d514d5d2fe895

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 201be9e9d833ee58b6bb7c14c864b6b97fa8d445d6f9eecae696670160dce8e1

GuLoader

Executable exe 90f4f826353051e2f4d26f43553e77312a00e6f4b05f1fa60b0d514d5d2fe895

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 201be9e9d833ee58b6bb7c14c864b6b97fa8d445d6f9eecae696670160dce8e1
Cape
Cape
https://www.capesandbox.com/analysis/456573/
  
Dropped by
MD5 82ec2fb78e5553180492340afaf2d69f

Comments