MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a07c124d0f9e49d59f7fbefc40086930d21a10807f0c6b1124b9924fb20eab6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a07c124d0f9e49d59f7fbefc40086930d21a10807f0c6b1124b9924fb20eab6c
SHA3-384 hash: 59beefd54353d48923ca285eb64d1a31cf90fa219bb9cf53fd8aa6bef0f9dfd76cfbe362292995b59d6109675fac182a
SHA1 hash: f939088169038d91e707723d53103daaed705ab7
MD5 hash: 3c7fffda5fde208e65954bfadec1c69b
humanhash: missouri-princess-fruit-eight
File name:Transport Plan.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:306'917 bytes
First seen:2023-03-23 12:51:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 6144:kQLFhHAzxh9/lGie0pfbR/fpIp0qchFVDlkc2hIFQu/6PwONzkbaIdY:xFWVhR4ie+fbtqKF3kcX6PGq
Threatray 592 similar samples on MalwareBazaar
TLSH T13064120A3141C967C77B12B57D2D5F118B0BCF2740615B8B73A23BE538BEAA1012FA97
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8488c8c888c8c888 (9 x GuLoader, 1 x Formbook)
Reporter malwarelabnet
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Transport Plan.exe
Verdict:
Malicious activity
Analysis date:
2023-03-23 12:52:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9a902f51-6a96-4c9d-9c8e-79d464df01b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376834/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
Searching for the window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74419/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
buer guloader overlay packed shell32.dll trickbot
Link:
https://www.filescan.io/uploads/641c4b769c109cf74b2ed618/reports/726aa108-2f34-4b5d-b127-394defc3b543/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/a07c124d0f9e49d59f7fbefc40086930d21a10807f0c6b1124b9924fb20eab6c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ce7d0d4b-fb9e-47db-a12a-7f0e82141aa0
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1200344
Signature
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 833250 Sample: Transport_Plan.exe Startdate: 23/03/2023 Architecture: WINDOWS Score: 100 38 www.solya-shop.com 2->38 40 www.maxhaidt.com 2->40 42 16 other IPs or domains 2->42 60 Snort IDS alert for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 3 other signatures 2->66 11 Transport_Plan.exe 2 57 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\System.dll, PE32 11->30 dropped 32 C:\...\api-ms-win-core-console-l1-2-0.dll, PE32+ 11->32 dropped 34 C:\Users\user\AppData\...\vmGuestLibJava.dll, PE32 11->34 dropped 36 C:\Users\user\AppData\Local\...\hmmapi.dll, PE32+ 11->36 dropped 78 Tries to detect Any.run 11->78 80 Opens the same file many times (likely Sandbox evasion) 11->80 15 Transport_Plan.exe 6 11->15         started        signatures6 process7 dnsIp8 50 www.wittofitentertainment.com 162.240.73.101, 443, 49817 UNIFIEDLAYER-AS-1US United States 15->50 52 Modifies the context of a thread in another process (thread injection) 15->52 54 Tries to detect Any.run 15->54 56 Maps a DLL or memory area into another process 15->56 58 2 other signatures 15->58 19 explorer.exe 2 1 15->19 injected signatures9 process10 dnsIp11 44 www.interactive-media.ru 88.212.206.251, 49823, 80 UNITEDNETRU Russian Federation 19->44 46 www.solya-shop.com 217.160.0.217, 49833, 49834, 49835 ONEANDONE-ASBrauerstrasse48DE Germany 19->46 48 9 other IPs or domains 19->48 68 System process connects to network (likely due to code injection or exploit) 19->68 23 systray.exe 13 19->23         started        signatures12 process13 signatures14 70 Tries to steal Mail credentials (via file / registry access) 23->70 72 Tries to harvest and steal browser information (history, passwords, etc) 23->72 74 Writes to foreign memory regions 23->74 76 3 other signatures 23->76 26 firefox.exe 23->26         started        process15 process16 28 WerFault.exe 4 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a07c124d0f9e49d59f7fbefc40086930d21a10807f0c6b1124b9924fb20eab6c/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-23 12:52:11 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ub6betiptze5lh37x36eacdjgdjbueeap4ggwejexgje7mqovnwa._file
Verdict:
malicious
Similar samples:
07fa172e1404c76738226cefc6e5d45559430c9946e419ed089d9ae5690783f9
GuLoader
1618cd5f5490038c34e179710ad15803a6549955b22a9d83b4f60eeccb7f2975
GuLoader
20fb078a0205ca04adf66dd2250409721698e14e9e1d2590eeff2873265e896b
GuLoader
6b017394a528be196879753f3c7ae1403aeda629a31b3b6993bc28921521808d
GuLoader
9765dbd65a085f5367621bfec9f896cf9d37eb298cee6e8568d4488137d888b1
GuLoader
b534709b0de0c4392af03fea261580b08915ae1e5a55496f85dc21500c6a8338
GuLoader
db19a753c3b30fefe4c2cad16fc3646fa1c4d4d3f662d1fc6e58fc8b61d44e57
GuLoader
dc5da53a5e93a588335b6561258d1540ac7d696c633d03de92e72d8e53254234
GuLoader
e1ac514b5cc907df4f0a6ed89cb6f17827302f89fd4cb95d8f8606b4d2e54d5b
GuLoader
+ 582 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/230323-p3284afg28/
Behaviour
Enumerates physical storage devices
Checks installed software on the system
Loads dropped DLL
Unpacked files
SH256 hash:
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
MD5 hash:
0063d48afe5a0cdc02833145667b6641
SHA1 hash:
e7eb614805d183ecb1127c62decb1a6be1b4f7a8
Link:
https://www.unpac.me/results/f17f06c4-68d8-4ef4-8947-9efbbe49e736/
Parent samples :
5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
e0fb60da371912c158861c9660632d58e45cfcff12351cc9e03f497f319eb5de
904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a
SH256 hash:
e8be29cc6f2f5855d97fde10ba53ea12f08aeda929d2088db701f5a1cf46fe1e
MD5 hash:
d88c14e5a9fb8c96aa0e68b43fea0c43
SHA1 hash:
772b7ee55ee1f7bd53c86bd4f219b3b55142508c
Link:
https://www.unpac.me/results/f17f06c4-68d8-4ef4-8947-9efbbe49e736/
SH256 hash:
a07c124d0f9e49d59f7fbefc40086930d21a10807f0c6b1124b9924fb20eab6c
MD5 hash:
3c7fffda5fde208e65954bfadec1c69b
SHA1 hash:
f939088169038d91e707723d53103daaed705ab7
Link:
https://www.unpac.me/results/f17f06c4-68d8-4ef4-8947-9efbbe49e736/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/376834/

Comments