MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
SHA3-384 hash:	0b323e36c6a686cf8ccd62ff43f9e3bf8bcbb07fec81cad8cad3da185d5cf063e551e7635c6da6a22e3c17e3a1ae8385
SHA1 hash:	064d70629cce898ac26eca755c1f24573d1e6362
MD5 hash:	e5daf6477340857b1d2d04411d7c0377
humanhash:	alaska-california-beer-princess
File name:	e5daf6477340857b1d2d04411d7c0377.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	3'596'692 bytes
First seen:	2023-06-16 11:17:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep	98304:IZxnMDp/mWgv8eLZtem6zaPtrnUQ+Ls6pVTEh6XnaVn/tW5X:IZZMD3gvDltebalrUeOokXajWd
Threatray	42 similar samples on MalwareBazaar
TLSH	T1CEF5330BFA24BB97E69981B2A9BDCFF0B755E04015269A5B13FCCEFD391849C235C019
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	800cf18181000080 (1 x GuLoader)
Reporter	abuse_ch
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

270

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e5daf6477340857b1d2d04411d7c0377.exe

Verdict:

Malicious activity

Analysis date:

2023-06-16 11:21:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0596cc79-bab0-465d-beca-d4de81303822

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/399456/

Detection(s):

SecuriteInfo.com.Gen.Variant.Adware.Nemesis.14688.11063.2593.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Running batch commands

Creating a process with a hidden window

Creating a process from a recently created file

Launching a process

Sending a custom TCP request

Creating a window

Blocking the Windows Defender launch

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

buer lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/648c44f0ab82700939a64b92/reports/c1a45e42-461b-4e3a-958f-152255e2a4c1/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/54b69227-6aad-4624-af61-8728c70c2c14

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1255986

Signature

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Submitted sample is a known malware sample

Uses cmd line tools excessively to alter registry or file data

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2023-06-16 11:18:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tgvauejn4egowids4mxbrg7p5umnwxhcsr4hx6ns3pqo6zb3uywa._file

Verdict:

malicious

GuLoader

1177adfb95bdd9a54a339005976ed4096d23fb4dd2099e91c35fc526c9a7cdbd

GuLoader

24846b5909d31e83e7b2f74cbc95f403d51b8377aca1b7e0184408b6d1670dca

GuLoader

615beea238930be9e92faf8e7394d59d65000beb9728bb8b38f6b31c83e435e8

GuLoader

873e3cdc28e17be1027c5b88f5899d2859b40bdbde0c929d32bb26468931c6e3

GuLoader

a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc

GuLoader

deebba95dabc50ecaca9ec1a70f321b9712baa078ff94dce2cb2385900c21b20

GuLoader

f080bf1c00fb050cc2a92fb17c08cd22d427782c6f47c532a2462ce3325905f0

GuLoader

f5b3bd1e70cfdf95cd20cc360931cd09675fb4c63ea6dfca938454a79f8b1e31

GuLoader

+ 32 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion trojan

Link:

https://tria.ge/reports/230616-nd92zaed41/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Windows security modification

Modifies Windows Defender Real-time Protection settings

Modifies Windows Defender notification settings

Modifies security service

Unpacked files

SH256 hash:

c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9

MD5 hash:

b38561661a7164e3bbb04edc3718fe89

SHA1 hash:

f13c873c8db121ba21244b1e9a457204360d543f

Detections:

win_flawedammyy_auto

Link:

https://www.unpac.me/results/16fe0702-51eb-499f-b1b2-83f798645d87/

Parent samples :

99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6

SH256 hash:

458f7b18305ed4271437d6f7688c39dbb09498ee32e675771248f4552bc06f1d

MD5 hash:

f66627572e2ee7c12f6f05ead314d845

SHA1 hash:

ff2d3d09e9ed60e4f8192ec62a574cac7e3c826e

Link:

https://www.unpac.me/results/16fe0702-51eb-499f-b1b2-83f798645d87/

SH256 hash:

894575814cabc89f91efa4844b8944dba27a20819bfb8234b169867bbdb5af1d

MD5 hash:

cc4c55f90d963d2c58332607a8fde974

SHA1 hash:

424e0753c8ba142128ec84ec332761bdd08a412e

Link:

https://www.unpac.me/results/16fe0702-51eb-499f-b1b2-83f798645d87/

SH256 hash:

bf0cf3990c6c23dd91ec21071c31537f36355b6d6900358e1536b9a377427619

MD5 hash:

26fc881f84b7f9081cf6b58ab8f9ec08

SHA1 hash:

c4424b9a716392228d55f7d067592d77e9d1b5d2

Detections:

win_flawedammyy_auto

Link:

https://www.unpac.me/results/16fe0702-51eb-499f-b1b2-83f798645d87/

Parent samples :

99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b

SH256 hash:

99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c

MD5 hash:

e5daf6477340857b1d2d04411d7c0377

SHA1 hash:

064d70629cce898ac26eca755c1f24573d1e6362

Link:

https://www.unpac.me/results/16fe0702-51eb-499f-b1b2-83f798645d87/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/399456/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample