MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92e55159b6e18fb75e5aa6d39a9b37822619c9d31123894ade0f7c4544a045cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92e55159b6e18fb75e5aa6d39a9b37822619c9d31123894ade0f7c4544a045cb
SHA3-384 hash: b92aa45248deb47919272d367e87484794a973321303c993ae54393df47d432023b8424fb06d1032e09e7ac85f7e82bc
SHA1 hash: d99f51698077961cf1d46a651dfa14ef18d19e13
MD5 hash: de7cd552b649caa3fd4a893099c8a924
humanhash: bacon-sierra-steak-mango
File name:a.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:360'920 bytes
First seen:2023-07-19 15:15:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (295 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 6144:xpW706rxuUnXSMGWZz5teVqf787zFg609T0IHj5euOWK8U3QvO5iduiM:KI6r3nCTWJVj8Rg6qT0cNNOWb25EuT
Threatray 99 similar samples on MalwareBazaar
TLSH T12A74129AA6259037EDB2C370D63EFE37CFB94348A9D02F432364994239571864B2D687
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe GuLoader scr signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-18T09:27:21Z
Valid to:2025-08-17T09:27:21Z
Serial number: 47aecde5ac6084244e8d04324fd96e32306d2988
Thumbprint Algorithm:SHA256
Thumbprint: 02e0b09f5c8dfa17796f93e25cc8a25d3480ea2726764fc9f04c97a28e245f99
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a.scr
Verdict:
Malicious activity
Analysis date:
2023-07-19 15:17:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ad751ec7-b284-4414-821a-5c4dcf79efc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/425267/
Detection(s):
SecuriteInfo.com.BackDoor.Siggen2.2488.26461.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64b7fe337a9c6ddebf0bb4c0/reports/a68a4b98-c2af-44b0-a661-9332c5f3234b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/92e55159b6e18fb75e5aa6d39a9b37822619c9d31123894ade0f7c4544a045cb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/673c113a-95a9-4ed1-b9e2-9f2ab25b27ab
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276084
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1276084 Sample: a.scr.exe Startdate: 19/07/2023 Architecture: WINDOWS Score: 100 26 www.zealously-snatch.shop 2->26 28 www.xn--ciqpnj85djnvt4n.com 2->28 30 16 other IPs or domains 2->30 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for domain / URL 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 5 other signatures 2->46 8 a.scr.exe 4 23 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\System.dll, PE32 8->24 dropped 50 Tries to detect Any.run 8->50 12 cscript.exe 13 8->12         started        15 a.scr.exe 6 8->15         started        signatures6 process7 dnsIp8 52 Tries to steal Mail credentials (via file / registry access) 12->52 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 56 Writes to foreign memory regions 12->56 64 3 other signatures 12->64 18 explorer.exe 4 1 12->18 injected 22 firefox.exe 12->22         started        38 greenwaypoti.ge 188.93.95.68, 49763, 80 CLOUD9GE Georgia 15->38 58 Tries to detect Any.run 15->58 60 Maps a DLL or memory area into another process 15->60 62 Sample uses process hollowing technique 15->62 signatures9 process10 dnsIp11 32 www.fumart.info 203.161.55.148, 49796, 49797, 49798 VNPT-AS-VNVNPTCorpVN Malaysia 18->32 34 www.baltools.com 216.40.34.41, 49818, 49819, 49820 TUCOWSCA Canada 18->34 36 15 other IPs or domains 18->36 48 System process connects to network (likely due to code injection or exploit) 18->48 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92e55159b6e18fb75e5aa6d39a9b37822619c9d31123894ade0f7c4544a045cb/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 05:33:33 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=slsvcwnw4gh3oxs2u3jzvgzxqitbtsotceryssw6b56ekrfaixfq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
06bbd56f97c98fe910af5904b60443fcbf1d88488f374f35d4a0423f045c7b4f
GuLoader
1aba3ebf5fc7d6221270fa7e13713216e06b678b197524a35d3a5cd9b1e0d857
GuLoader
591109da111aac82d548d21277af8fe59f6860ec229847cc1571652bddbc957f
GuLoader
629969a0881903021d039f309d10a9028a1b967153706f7db6386c0773ce727d
GuLoader
73f87dc14d15addd846f2073187ac64be665ce79f618fff31c981ac95a51d288
GuLoader
75bb54e0d27dfeb0efa4680d7136307f9a82edef662e9fc3c4339b05b3fe7079
GuLoader
7d6e9247de0527fa4c0939c4f6e6726a35cb5f39492a7aeab5614ac1ab29b294
GuLoader
8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b
GuLoader
b643d5ee1be492fcbfbfb4c9b9bf3da8460b74ab2097b96e6545318c92f2ee26
GuLoader
f1d545ed6ad2433790b985ad84d102f937b16f44c09f32d9be33f95ef80b7d4d
GuLoader
+ 89 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/230719-snfnbshg21/
Behaviour
Enumerates physical storage devices
Checks installed software on the system
Loads dropped DLL
Unpacked files
SH256 hash:
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
MD5 hash:
3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 hash:
fe582246792774c2c9dd15639ffa0aca90d6fd0b
Link:
https://www.unpac.me/results/195ff98a-4090-4396-a4fd-ad718b94b5db/
SH256 hash:
92e55159b6e18fb75e5aa6d39a9b37822619c9d31123894ade0f7c4544a045cb
MD5 hash:
de7cd552b649caa3fd4a893099c8a924
SHA1 hash:
d99f51698077961cf1d46a651dfa14ef18d19e13
Link:
https://www.unpac.me/results/195ff98a-4090-4396-a4fd-ad718b94b5db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/92e55159b6e18fb75e5aa6d39a9b37822619c9d31123894ade0f7c4544a045cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/425267/

Comments