MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96e8eb2604c81bbb31a16ccf186aa3a9990f01e03b59df7c29536293edfa5454. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96e8eb2604c81bbb31a16ccf186aa3a9990f01e03b59df7c29536293edfa5454
SHA3-384 hash: 6288d43da6a6ebee2ac7225e9202e097ba04030915b909bc3194dccbe397bade0ea2e6141938eae544d290f32de4082b
SHA1 hash: 62a4c99975583f84b9fdf13697ffce9afc3db13b
MD5 hash: 665d29c6fa8c6b5b98bb888553d5b89b
humanhash: three-football-queen-nineteen
File name:Invoices.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:511'218 bytes
First seen:2023-12-19 15:27:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e221f4f7d36469d53810a4b5f9fc8966 (118 x GuLoader, 28 x RemcosRAT, 21 x Formbook)
ssdeep 12288:tlluAaJXFhQA+kdL82vSRyxTJqG4+fI9DygrFUhudFA2J1c:wAcXFWAFdkEx9qO6JUkd2
Threatray 20 similar samples on MalwareBazaar
TLSH T151B41256A6E0FCFDF1370DB969726F39A663BF01A06A023B49E536545232183B02F50F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 292b95959f9d8d85 (4 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468528/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.11414.25714.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Sending an HTTP GET request
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6581b6866b1c246046fc4383/reports/31116ae2-769a-4c01-ab6c-b2c0a32ed8df/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/96e8eb2604c81bbb31a16ccf186aa3a9990f01e03b59df7c29536293edfa5454
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79c3028f-ffae-4dd1-bff5-fae25a1dd80a
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1364637
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1364637 Sample: Invoices.exe Startdate: 19/12/2023 Architecture: WINDOWS Score: 100 45 www.skinnovations.xyz 2->45 47 www.filmgraphs.com 2->47 49 2 other IPs or domains 2->49 65 Snort IDS alert for network traffic 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 73 4 other signatures 2->73 12 Invoices.exe 27 2->12         started        15 wab.exe 1 2->15         started        17 wab.exe 3 1 2->17         started        signatures3 71 Performs DNS queries to domains with low reputation 45->71 process4 file5 41 C:\Users\user\AppData\...\Solcremens.Ver, data 12->41 dropped 43 C:\Users\user\AppData\Local\...\nss9FF9.tmp, data 12->43 dropped 19 powershell.exe 12 12->19         started        process6 signatures7 75 Suspicious powershell command line found 19->75 77 Very long command line found 19->77 79 Found suspicious powershell code related to unpacking or dynamic code loading 19->79 22 powershell.exe 15 19->22         started        25 conhost.exe 19->25         started        process8 signatures9 81 Writes to foreign memory regions 22->81 27 wab.exe 6 22->27         started        process10 dnsIp11 55 www.magssin.com 167.86.119.6, 443, 49711 CONTABODE Germany 27->55 83 Maps a DLL or memory area into another process 27->83 31 NUNFKeHjFLIxRILjNRvqhGhCb.exe 27->31 injected signatures12 process13 process14 33 prevhost.exe 1 13 31->33         started        signatures15 57 Tries to steal Mail credentials (via file / registry access) 33->57 59 Tries to harvest and steal browser information (history, passwords, etc) 33->59 61 Writes to foreign memory regions 33->61 63 3 other signatures 33->63 36 NUNFKeHjFLIxRILjNRvqhGhCb.exe 33->36 injected 39 firefox.exe 33->39         started        process16 dnsIp17 51 www.filmgraphs.com 45.13.161.228, 49714, 49715, 49716 POWERLINE-AS-APPOWERLINEDATACENTERHK Netherlands 36->51 53 www.0q4es.site 107.148.132.244, 49713, 80 ASLINE-AS-APASLINELIMITEDHK United States 36->53
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/96e8eb2604c81bbb31a16ccf186aa3a9990f01e03b59df7c29536293edfa5454
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96e8eb2604c81bbb31a16ccf186aa3a9990f01e03b59df7c29536293edfa5454/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-15 00:04:30 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s3uowjqezan3wmnbnthrq2vdvgmq6apahnm567bjknrjh3p2krka._file
Verdict:
malicious
Similar samples:
257392d202836c2911f98af1975bd90e2c2bf9bbc3ebb59a241e1ae3ae4c1eac
GuLoader
26867f2c23465d6220bb9f81714c67d2769e54e4ebd0eb15ee3fa3d0dc3b6be3
GuLoader
51ec7c99d72fbc5b4c39af131579a1b2e49e20566565c831544c02dcab08c2a9
GuLoader
7f6af80f59437303f1f0282e798c57619cc1c013cb08c66810595952558fdcc9
GuLoader
976be3f04529b328e1fa9b0f173924c2a0dd3296734eb20fcd922b3171e5a547
GuLoader
c61cf6492202eaa8c4d974fcc83ddfaf44a0538d52ab233e6dca97a997945286
GuLoader
d0162a86e38114d2aeb0530bfca4d939cd4d15e5cc35d50cb64c20123f0f3204
GuLoader
d4471111f0e92ea1d7760bd2cc6f75ce16bc8245d077edc47d56181f23a96cea
GuLoader
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231219-swbpcagbc7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
96e8eb2604c81bbb31a16ccf186aa3a9990f01e03b59df7c29536293edfa5454
MD5 hash:
665d29c6fa8c6b5b98bb888553d5b89b
SHA1 hash:
62a4c99975583f84b9fdf13697ffce9afc3db13b
Link:
https://www.unpac.me/results/ba2023e3-126f-48b5-ad8c-9cbb3330b282/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96e8eb2604c81bbb31a16ccf186aa3a9990f01e03b59df7c29536293edfa5454

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 96e8eb2604c81bbb31a16ccf186aa3a9990f01e03b59df7c29536293edfa5454

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468528/

Comments