MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98e96c2ccc5c125d947804851df65f324db5d8bedcd60d19f6bea9ed44252e86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98e96c2ccc5c125d947804851df65f324db5d8bedcd60d19f6bea9ed44252e86
SHA3-384 hash: 526c682c7e83859c8dbb837f77a4c75964f562cf01e4afd8a2cecaacd5a0edf9d7d7facf3ac19eeefd50eee1804afd37
SHA1 hash: d1d3c4b5bfa402e019ae022b7302be255c16ef7b
MD5 hash: 0c09691b8316208374f1bea0ed9cba4c
humanhash: video-venus-magnesium-sierra
File name:98e96c2ccc5c125d947804851df65f324db5d8bedcd60d19f6bea9ed44252e86
Download: download sample
Signature GuLoader
Create hunting rule
File size:699'624 bytes
First seen:2023-05-05 12:48:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (384 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep 12288:QqECucXU4xRUFWC/AMby6OnKjNR5QKRL0NWj9MoEzf:ACucEaUFWC/12xyTQKSoBMDb
Threatray 1'581 similar samples on MalwareBazaar
TLSH T1F5E40125F645DC15C7C69FF06A9098ABC1E76C1CEC1006B37E63B9B92B34392B8EC654
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
98e96c2ccc5c125d947804851df65f324db5d8bedcd60d19f6bea9ed44252e86
Verdict:
Malicious activity
Analysis date:
2023-05-05 12:48:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3a36d93d-f71e-4843-a4d7-0470b067d193

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/386936/
Detection(s):
Sanesecurity.Rogue.0hr.20230426-0435.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82734/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6454fb3d6cb75a144089fc7e/reports/acb1c0a8-309e-417e-84aa-b4873b3bd77d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/98e96c2ccc5c125d947804851df65f324db5d8bedcd60d19f6bea9ed44252e86
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1dc8faf5-cb4e-4b6c-bdd6-f27bc22aba09
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1226923
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netstat to query active network connections and open ports
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 859888 Sample: DbkrlzhE3S.exe Startdate: 05/05/2023 Architecture: WINDOWS Score: 100 34 www.tazwid.net 2->34 36 www.neighborhub.net 2->36 38 24 other IPs or domains 2->38 56 Snort IDS alert for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 10 other signatures 2->62 11 DbkrlzhE3S.exe 2 24 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\System.dll, PE32 11->30 dropped 32 C:\Users\user\...\BurningROMPortable.exe, PE32 11->32 dropped 72 Tries to detect Any.run 11->72 15 DbkrlzhE3S.exe 6 11->15         started        signatures6 process7 dnsIp8 46 146.70.158.210, 49836, 80 TENET-1ZA United Kingdom 15->46 48 Modifies the context of a thread in another process (thread injection) 15->48 50 Tries to detect Any.run 15->50 52 Maps a DLL or memory area into another process 15->52 54 2 other signatures 15->54 19 explorer.exe 3 1 15->19 injected signatures9 process10 dnsIp11 40 abeloewen.com 162.144.4.227, 49855, 80 UNIFIEDLAYER-AS-1US United States 19->40 42 www.cloudninemodels.co.uk 217.160.0.27, 49844, 80 ONEANDONE-ASBrauerstrasse48DE Germany 19->42 44 7 other IPs or domains 19->44 64 System process connects to network (likely due to code injection or exploit) 19->64 66 Uses netstat to query active network connections and open ports 19->66 23 NETSTAT.EXE 19->23         started        signatures12 process13 signatures14 68 Modifies the context of a thread in another process (thread injection) 23->68 70 Maps a DLL or memory area into another process 23->70 26 cmd.exe 1 23->26         started        process15 process16 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98e96c2ccc5c125d947804851df65f324db5d8bedcd60d19f6bea9ed44252e86/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-04-26 00:25:37 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tduwylgmlqjf3fdyascr35s7gjg3lwf63tla2gpwx2u62rbff2da._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656
GuLoader
28384833cb4f57932b5344a38245cc995941d7fcccc387a2ffa7f295c91108ac
GuLoader
3e742163144a721a8d6733f9653c2acca1638eced30159467a6768aff047f25c
GuLoader
41618cb3eabd9750fa776f31b8117e4025fd3d03af5e30d62100d84ce8101406
GuLoader
7cdb9e0fde39ad1578dbd905a88c8b6492a608349c0fed0c79879f5a086108e9
GuLoader
81ce31f6f3cd9a6a6037c411a1485bee35eaa93965fc6ccc2bd857c991fcad90
GuLoader
89e2a77118c2c57d2eb0c1e92a3aa305b759529e38a6879b42b2e2f15a76843c
GuLoader
bfede26656dbab01c01f5187f8a5d9b63cd0f8bba301e8c1d145bda515960f02
GuLoader
cd24796ce83ec93f4e5e116d5402986cca52840cf878f7cdedc63f865734d409
GuLoader
e044ecf0f485711cc6e4e8bbd56819838787b2365893783b3794a969ce2b5aeb
GuLoader
+ 1'571 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:ks01 discovery downloader rat spyware stealer trojan
Link:
https://tria.ge/reports/230505-p2bprace4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Formbook payload
Formbook
Guloader,Cloudeye
Unpacked files
SH256 hash:
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
MD5 hash:
0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA1 hash:
10c51496d37cecd0e8a503a5a9bb2329d9b38116
Link:
https://www.unpac.me/results/e5ebdbef-8cb4-415c-9de0-cbbf70e79f58/
SH256 hash:
f4ba65b6c92d2ede85079f72d2911fc2004acccc56f97aa9319f80f3a04e9920
MD5 hash:
193d3ad4dc2748901cf7e9cc67eeafda
SHA1 hash:
4f518e67e4f915ea1570d29d6df64a5ceb643a97
Link:
https://www.unpac.me/results/e5ebdbef-8cb4-415c-9de0-cbbf70e79f58/
SH256 hash:
98e96c2ccc5c125d947804851df65f324db5d8bedcd60d19f6bea9ed44252e86
MD5 hash:
0c09691b8316208374f1bea0ed9cba4c
SHA1 hash:
d1d3c4b5bfa402e019ae022b7302be255c16ef7b
Link:
https://www.unpac.me/results/e5ebdbef-8cb4-415c-9de0-cbbf70e79f58/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/98e96c2ccc5c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/98e96c2ccc5c125d947804851df65f324db5d8bedcd60d19f6bea9ed44252e86

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/386936/

Comments