MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9421483b437544acf326c3a6196608adb154310dae3a08831406678785d82d08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9421483b437544acf326c3a6196608adb154310dae3a08831406678785d82d08
SHA3-384 hash: 551c1f0e444cc99cdb4543ee5041aa8810dfa223a9da56c7e41c4e4400542fde436da961c6b9cd175ebb6a5a67ae0f73
SHA1 hash: 0b47e9108dbc4c624e1a5de6a783e5c0049a0aa9
MD5 hash: f3a3a9951a242056fd5cbbf2c495f1e6
humanhash: blue-jig-single-mike
File name:RFQ# 6000163267.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:215'792 bytes
First seen:2022-11-03 01:06:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e221f4f7d36469d53810a4b5f9fc8966 (118 x GuLoader, 28 x RemcosRAT, 21 x Formbook)
ssdeep 6144:+lJZfCCnkmnhf5DR0km8S9uarlSghvycMt:+lxkOnm8qPt
Threatray 33 similar samples on MalwareBazaar
TLSH T12024134872E1D0B3E6CB5F321FB7D3EAD776E62525202B072B242FB959123C9860C355
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0e0d0e0d8b8b034 (1 x GuLoader)
Reporter GovCERT_CH
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-01T21:48:41Z
Valid to:2025-09-30T21:48:41Z
Serial number: -6ea1f2c43b88935e
Thumbprint Algorithm:SHA256
Thumbprint: a76685e52c73c39a925b57debc36f9fef5d249420fa74d5d9339af6b16a43ab3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
RFQ# 6000163267.exe
Verdict:
Malicious activity
Analysis date:
2022-11-03 01:08:22 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/3a92f9e9-6ab6-4c4a-ba65-b64fb5205546

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/327484/
Detection(s):
SecuriteInfo.com.Trojan.TR.AD.Nekark.fszsr.18205.13668.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Delayed reading of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6363143754f1a631b005c6ed/reports/494dd46c-56b9-4c60-9d64-e0c24ffef9c2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cf70bf31-464e-491f-beaf-3639a2e53185
Result
Threat name:
BluStealer, GuLoader, ThunderFox Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1103902
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected BluStealer
Yara detected GuLoader
Yara detected ThunderFox Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9421483b437544acf326c3a6196608adb154310dae3a08831406678785d82d08/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-11-02 02:08:23 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
17 of 40 (42.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqquqo2dovckz4zgyotbszqivwyviminvy5arayuaztypboyfuea._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00
GuLoader
1bf1bfc4c3691ad36cefb7a75dc3dd06d6f8936e48bbadd1d4fa471094753a57
GuLoader
37c86f121c6f2444ba270e021f0fe141de6dac7cba6267e9a873f72eabb6bbff
GuLoader
43efe491955b4d4d340b18b7de78784276f048d8d5b99f9fff0284d563226286
GuLoader
6054e801f0c62698352dd4b1d1c3e82097ede19f36cdd2db9b4c69bc763f3adb
GuLoader
6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
GuLoader
7db5e626c33513029a8c994e929219469a2d4f36bbd9557299d4b8bec1673fc1
GuLoader
83cf1834c1ebc4ab37dcf0734120efadb2ca3354e28c0887aa2188f03de39a15
GuLoader
913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
GuLoader
a68190f559500888abbd58c7b35794837352ac2127fb1dd1553c659eba5015a3
GuLoader
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/221103-bgm1dsdce2/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks installed software on the system
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ae2630b4-89c0-496b-a21a-751d15307fe9
Unpacked files
SH256 hash:
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
MD5 hash:
fc90dfb694d0e17b013d6f818bce41b0
SHA1 hash:
3243969886d640af3bfa442728b9f0dff9d5f5b0
Link:
https://www.unpac.me/results/306336bf-82d3-4e66-a929-5acdd8f2683d/
SH256 hash:
9421483b437544acf326c3a6196608adb154310dae3a08831406678785d82d08
MD5 hash:
f3a3a9951a242056fd5cbbf2c495f1e6
SHA1 hash:
0b47e9108dbc4c624e1a5de6a783e5c0049a0aa9
Link:
https://www.unpac.me/results/306336bf-82d3-4e66-a929-5acdd8f2683d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9421483b437544acf326c3a6196608adb154310dae3a08831406678785d82d08

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 9421483b437544acf326c3a6196608adb154310dae3a08831406678785d82d08

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/327484/

Comments