MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a928bf2d0e31a7cb31b1e48d9e532058ad20fd7b37a3aa39fc759112f0d3150. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a928bf2d0e31a7cb31b1e48d9e532058ad20fd7b37a3aa39fc759112f0d3150
SHA3-384 hash: 2eb691d041a2425176e6c9f11c5afcd3958da8ababc6554ee0ea5c0a971006dd85b0563538b75cdc8380ac5ed998a858
SHA1 hash: 028ce3f2ec5a4e5b5d45eebcbb4e635a9d0b40fb
MD5 hash: 8783ac676a1a1cdf6ae721ffbc6e71c6
humanhash: ceiling-william-spaghetti-georgia
File name:DS2022010000136_pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:153'656 bytes
First seen:2022-09-15 11:43:07 UTC
Last seen:2023-07-17 20:27:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (388 x GuLoader, 59 x RemcosRAT, 44 x VIPKeylogger)
ssdeep 3072:bIlLpNjldDfiLucCMuaSLeRybYU+S8tsuweZqp2E6oNTWEsYz:bspNjlsAeRs9nMPqL6o3z
TLSH T150E3E10133649057EAB307311563A6776DBAE4B7ED525E430301BA1A7C323D37E2FAA9
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8abafacccef2be84 (3 x GuLoader)
Reporter TeamDreier
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Socinianistic Accentueringernes daggryenes
Issuer:Socinianistic Accentueringernes daggryenes
Algorithm:sha256WithRSAEncryption
Valid from:2022-07-16T03:46:53Z
Valid to:2025-07-15T03:46:53Z
Serial number: -0d42ee20c5088a72
Thumbprint Algorithm:SHA256
Thumbprint: 3e34809d2417ed4e23b20aba657301427c4307c95647fbbe3dc2255164d3f1ce
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DS2022010000136_pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-09-14 04:32:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/92ad236f-cc6b-419a-b661-ea773c6c0cb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310218/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Searching for the window
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37693/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6323105b35180ec88e2cb01d/reports/05e4b164-d761-4b77-8093-1c395e36eb5d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/621205d1-9a40-498b-aab1-444a388c2af6
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1071097
Signature
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Mass process execution to delay analysis
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 703640 Sample: DS2022010000136_pdf.exe Startdate: 15/09/2022 Architecture: WINDOWS Score: 100 54 yemsolgse.com 2->54 56 wzilwhittapps.com 2->56 58 16 other IPs or domains 2->58 78 Snort IDS alert for network traffic 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 5 other signatures 2->84 11 DS2022010000136_pdf.exe 5 25 2->11         started        signatures3 process4 file5 50 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->50 dropped 52 C:\Users\user\AppData\Local\...\System.dll, PE32 11->52 dropped 92 Mass process execution to delay analysis 11->92 94 Tries to detect Any.run 11->94 96 Sample uses process hollowing technique 11->96 15 DS2022010000136_pdf.exe 11->15         started        19 powershell.exe 11->19         started        21 powershell.exe 11->21         started        23 106 other processes 11->23 signatures6 process7 dnsIp8 66 drive.google.com 142.250.184.206, 443, 49756 GOOGLEUS United States 15->66 68 googlehosted.l.googleusercontent.com 142.250.185.225, 443, 49757 GOOGLEUS United States 15->68 70 Modifies the context of a thread in another process (thread injection) 15->70 72 Tries to detect Any.run 15->72 74 Maps a DLL or memory area into another process 15->74 76 2 other signatures 15->76 25 explorer.exe 15->25 injected 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 23->35         started        37 conhost.exe 23->37         started        39 103 other processes 23->39 signatures9 process10 dnsIp11 60 designerdreamscapestile.com 15.197.142.173, 49763, 49768, 80 TANDEMUS United States 25->60 62 smokyweenie.com 34.102.136.180, 49771, 80 GOOGLEUS United States 25->62 64 livenaturalreactions.com 34.98.99.30, 49760, 49764, 49776 GOOGLEUS United States 25->64 90 System process connects to network (likely due to code injection or exploit) 25->90 41 cmstp.exe 25->41         started        44 autoconv.exe 25->44         started        signatures12 process13 signatures14 86 Modifies the context of a thread in another process (thread injection) 41->86 88 Maps a DLL or memory area into another process 41->88 46 cmd.exe 41->46         started        process15 process16 48 conhost.exe 46->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a928bf2d0e31a7cb31b1e48d9e532058ad20fd7b37a3aa39fc759112f0d3150/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-09-14 08:18:32 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
13 of 39 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tkjix4wq4mnhzmy3dzentzjsawfned6xwn5dvi47y5mrclyngfia._file
Verdict:
malicious
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220915-nv6e4sgfdj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a19e0847-e6cc-40af-b518-0443a74f519e
Unpacked files
SH256 hash:
c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7
MD5 hash:
b55f7f1b17c39018910c23108f929082
SHA1 hash:
1601f1cc0d0d6bcf35799b7cd15550cd01556172
Link:
https://www.unpac.me/results/77ff297a-a953-43d0-b84d-fd2c12b51e93/
SH256 hash:
552eee5ba88e2bf1064f454ee12b4435f1eef71f963b800ce016bb2bccc9d2dc
MD5 hash:
ca4148087046f143521a4991cc6b7142
SHA1 hash:
cb4c9ea8d80ef1097fbb7fcf03dacc5db5053262
Link:
https://www.unpac.me/results/77ff297a-a953-43d0-b84d-fd2c12b51e93/
SH256 hash:
e69ee897084fcdaf301b710386853fe867c9ed036222be44ba7b5a080e828ffb
MD5 hash:
1a6d0cfb6b904c4bf63491728ce9cf06
SHA1 hash:
ad29426b4888c0f23b758d42320e1ad6cd731133
Link:
https://www.unpac.me/results/77ff297a-a953-43d0-b84d-fd2c12b51e93/
SH256 hash:
9a928bf2d0e31a7cb31b1e48d9e532058ad20fd7b37a3aa39fc759112f0d3150
MD5 hash:
8783ac676a1a1cdf6ae721ffbc6e71c6
SHA1 hash:
028ce3f2ec5a4e5b5d45eebcbb4e635a9d0b40fb
Link:
https://www.unpac.me/results/77ff297a-a953-43d0-b84d-fd2c12b51e93/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/9a928bf2d0e31a7cb31b1e48d9e532058ad20fd7b37a3aa39fc759112f0d3150

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 9a928bf2d0e31a7cb31b1e48d9e532058ad20fd7b37a3aa39fc759112f0d3150

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/310218/

Comments