MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d6cef5aace8864164fc3a2f7027c70e6e220153b2c42feb4d05b367e6835d19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d6cef5aace8864164fc3a2f7027c70e6e220153b2c42feb4d05b367e6835d19
SHA3-384 hash: 8c315225aab4f3351c2d34b4db9fb998ed42f039b07e045bb8a0945553830459f28dd352d27fa21bf33255fd2d2bab48
SHA1 hash: 6ce6f47f56dfbe00870f558948980d57c9877999
MD5 hash: 0302274ac1df9b42f25d62dd768116a4
humanhash: sink-beer-paris-rugby
File name:Form_Disaffilia4.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:114'688 bytes
First seen:2021-11-01 16:10:57 UTC
Last seen:2021-11-01 18:10:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0a47213b748f6760dda1930748ee4ad6 (3 x GuLoader)
ssdeep 768:zRTCfYNhkin1wWG2k73CYG+xLP6kA/QLlejrd60LKA6UjpOB12Xq5ofo7BjNnIho:z8fKhrwwTkT/wg0L9sBIa5nXUQiF1U
Threatray 11'025 similar samples on MalwareBazaar
TLSH T12CB36B12A17E9C9BD85E8F3836858D9072834E1086DBD5B7ED427A4CD7322DCCB852DE
File icon (PE):PE icon
dhash icon 12f1f8dcacde6cb0 (4 x GuLoader)
Reporter GovCERT_CH
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Form_Disaffilia4.exe
Verdict:
No threats detected
Analysis date:
2021-11-01 08:15:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/27f1e536-7dc9-4536-8fc5-22d84bb87c20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201150/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37919312.30526.9236.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
No Threat
Threat level:
  10/10
Confidence:
67%
Link:
https://www.filescan.io/uploads/61801197db358dd15ee37aac/reports/75e0ccfb-d3be-4312-b040-c51f134fd578/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/987dfdbd-3ac8-4b51-8fef-ea0a76940deb
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/880597
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 513031 Sample: Form_Disaffilia4.exe Startdate: 01/11/2021 Architecture: WINDOWS Score: 100 29 www.installfloors72hrs.com 2->29 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 10 other signatures 2->45 11 Form_Disaffilia4.exe 1 2->11         started        signatures3 process4 signatures5 57 Tries to detect Any.run 11->57 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Hides threads from debuggers 11->61 14 Form_Disaffilia4.exe 6 11->14         started        process6 dnsIp7 37 berationssyllenesliopa.com 45.82.177.176, 443, 49853 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 14->37 63 Modifies the context of a thread in another process (thread injection) 14->63 65 Tries to detect Any.run 14->65 67 Maps a DLL or memory area into another process 14->67 69 3 other signatures 14->69 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 31 www.onyxroseonline.com 104.252.205.189, 49854, 80 EGIHOSTINGUS United States 18->31 33 diskonmitsubishibali.com 103.160.212.218, 49856, 80 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 18->33 35 3 other IPs or domains 18->35 47 System process connects to network (likely due to code injection or exploit) 18->47 22 explorer.exe 18->22         started        signatures11 process12 signatures13 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d6cef5aace8864164fc3a2f7027c70e6e220153b2c42feb4d05b367e6835d19/
Threat name:
Win32.Trojan.VBObfuse
Create hunting rule
Status:
Malicious
First seen:
2021-11-01 11:00:24 UTC
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tvwo6wvm5cdeczh4hixxaj6hbzxceaktwlcc722nawzwpzudlumq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
49609c0487ceeec0771547efd9277b01f494be83549bc0245330672ee962c50c
GuLoader
5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979
GuLoader
6b808cf78989a505d346c7a9e3d8d571cec2c21fe0ef9b3c1f5e04bbad6be3c2
GuLoader
7c7e7d1ad3f8afd0ffcba163bac7c1df9ceb8202a96a61b30b697569e00051b0
GuLoader
922015577a3e960d298f4abfe78c31146587b6e37e5c96f629cfd9b937d368f2
GuLoader
9f59a9c7a38d8031c5b0829da6c4c10951b1de67adada4f567449d4b6ea8d83c
GuLoader
cf754d403941881031f7d47f5bd9754861971e4e5f1c160ef7739883c71ae008
GuLoader
fdc199cc7273334e37c54304964720393d2431955627567fc44c6b68a3c3e056
GuLoader
+ 11'015 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:csn6 downloader rat spyware stealer trojan
Link:
https://tria.ge/reports/211101-tmxqwsacb9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Formbook Payload
Formbook
Guloader,Cloudeye
Malware Config
C2 Extraction:
http://www.dindeosh.com/csn6/
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/d394cbe5-ee11-415e-b8e6-f6ebb22669a9/
SH256 hash:
9d6cef5aace8864164fc3a2f7027c70e6e220153b2c42feb4d05b367e6835d19
MD5 hash:
0302274ac1df9b42f25d62dd768116a4
SHA1 hash:
6ce6f47f56dfbe00870f558948980d57c9877999
Link:
https://www.unpac.me/results/d394cbe5-ee11-415e-b8e6-f6ebb22669a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9d6cef5aace8864164fc3a2f7027c70e6e220153b2c42feb4d05b367e6835d19

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 9d6cef5aace8864164fc3a2f7027c70e6e220153b2c42feb4d05b367e6835d19

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/201150/

Comments