MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a6f5a458aa652a41435afc6e89cf46302b02a5bb5fbfa049362b317f446fa54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	9a6f5a458aa652a41435afc6e89cf46302b02a5bb5fbfa049362b317f446fa54
SHA3-384 hash:	827970477e729001d0db36586b3e77f4675f033583addc6177a57ef0a2976c639e46b1cfac35ca84a2902e0d0903e3c0
SHA1 hash:	63096fff3bc5b3f3cbbfb300d6f96dab7c0a15ed
MD5 hash:	deb8bb074cc03666893e62f41f37f1ef
humanhash:	december-papa-kitten-floor
File name:	5283079616_INV_SZV_WJG_001_20230830_180210.exe
Download:	download sample
Signature	Formbook Alert Create hunting rule
File size:	508'604 bytes
First seen:	2023-08-30 13:09:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e2a592076b17ef8bfb48b7e03965a3fc (384 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep	12288:OqYRUZ2Ro17RhWFORPeHpxIn0xh0rGzdf2wOanRrOoJplr51obRH:ORUZ2q1HWFcPeHpxE0xKrkjpnRiorlgH
Threatray	3'088 similar samples on MalwareBazaar
TLSH	T186B4231233C1C60FC64B6772C5BBA6F95A689C49C93A470F1781BE7B3AB0191C758B63
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

304

Origin country :

US

Vendor Threat Intelligence

ANY.RUN guloader

Malware family:

guloader

Alert

Create hunting rule

ID:

1

File name:

5283079616_INV_SZV_WJG_001_20230830_180210.exe

Verdict:

Malicious activity

Analysis date:

2023-08-30 13:09:36 UTC

Tags:

guloader

Link:

https://app.any.run/tasks/9f6a47af-5ac5-415f-a7b5-a37382cd5b66

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/445306/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.8418.11280.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file

Delayed reading of the file

Searching for the window

Creating a file in the %temp% subdirectories

Creating a window

Dragonfly

Gathering data

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  7.5/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/64ef3fad5ec4a8623261dcae/reports/44a32fbf-e371-45b0-93b2-4c336d144536/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9a6f5a458aa652a41435afc6e89cf46302b02a5bb5fbfa049362b317f446fa54

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/6a218901-4d70-4e9b-bd28-4a16c00c9974

Joe Sandbox GuLoader

Result

Threat name:

GuLoader

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1300382

Signature

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9a6f5a458aa652a41435afc6e89cf46302b02a5bb5fbfa049362b317f446fa54/

ReversingLabs TitaniumCloud Win32.Trojan.Guloader

Threat name:

Win32.Trojan.Guloader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-08-29 03:41:07 UTC

File Type:

PE (Exe)

Extracted files:

11

AV detection:

19 of 38 (50.00%)

Threat level:

  5/5

Spamhaus Hash Blocklist Malicious file

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tjxvurmkuzjkifbvv7dorhhummblaks3wx57ubetmkzrp5cg7jka._file

Threatray formbook

Verdict:

malicious

Label(s):

formbook

Alert

Create hunting rule

Similar samples:

03315fc089295a2ff5733402c9a928e0fa0c26c3d67dd3610ea121845bde4f1f

Formbook

0361bde7da9104b4a09db39ac90c1af16e0aa137f4f33c57c9844066ce7c6d7a

Formbook

238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458

Formbook

40e40c04f4357fec11cb9037a802efbe582a4ac64e215909f2c7770475e5a252

Formbook

520f17dfba77b701c6efc365a7bf08f29584d54e0ea275db68cd15c528ba7581

Formbook

556db57800de1a678ad62a5d6c85e2de783f3965429679a5c0f584ca3bc483ed

Formbook

6ae1f465cc7f3f76050a4dc053e821ba8b798e323ebf7d8237c9f98b59447061

Formbook

8bc4f4ce5d6c39ec058db68d3f76ea4c1b6d1cd973534dc2e4f624d17d52f904

Formbook

b80d975ddd8e28bf201a5dd08cbfa50ef211aa5600f33b4c10e6d72068864f13

Formbook

d2da367f408927aed9dc92251cc05f67a7032b9f59eafc1db59c1cc4aa71646a

Formbook

+ 3'078 additional samples on MalwareBazaar

Hatching Triage guloader

Result

Malware family:

guloader

Alert

Create hunting rule

Score:

  10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/230830-qec5qsfe34/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Drops file in Windows directory

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Checks QEMU agent file

Loads dropped DLL

Guloader,Cloudeye

UnpacMe 2

Unpacked files

SH256 hash:

982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

MD5 hash:

0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1 hash:

10c51496d37cecd0e8a503a5a9bb2329d9b38116

Link:

https://www.unpac.me/results/70e5ebea-d155-4738-b9a4-fb2a055d0aaf/

SH256 hash:

9a6f5a458aa652a41435afc6e89cf46302b02a5bb5fbfa049362b317f446fa54

MD5 hash:

deb8bb074cc03666893e62f41f37f1ef

SHA1 hash:

63096fff3bc5b3f3cbbfb300d6f96dab7c0a15ed

Link:

https://www.unpac.me/results/70e5ebea-d155-4738-b9a4-fb2a055d0aaf/

VMRay GuLoader

Malware family:

GuLoader

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9a6f5a458aa6/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9a6f5a458aa652a41435afc6e89cf46302b02a5bb5fbfa049362b317f446fa54

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

  

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/445306/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

Kasibe commented on 2023-08-30 13:25:37 UTC

Guloader