MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1b72731ababb98a1ef377943d1995a6cb5860585d8e3573db27c095aa28c04a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1b72731ababb98a1ef377943d1995a6cb5860585d8e3573db27c095aa28c04a
SHA3-384 hash: 48748e903fbbde6cab32d50ae84fbec026bc6b99f8f2ae1977046d87e68b4b4a5fdb18b5272d13a0b61215e3fb63385e
SHA1 hash: 63f999f7b8eeee207546b08a69b54b5ac13753ff
MD5 hash: 2a5536e277d7c71bd7a8fd7b1ffd7afd
humanhash: diet-bluebird-emma-october
File name:file
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'263'895 bytes
First seen:2023-12-21 19:51:24 UTC
Last seen:2024-01-13 01:00:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e990dd07e89d04c53e337ab9b3f5e0cc (15 x GuLoader, 11 x VIPKeylogger, 3 x Pony)
ssdeep 24576:9qr3545pTbaTkXSafBClDXSy/dbsqSGqsYeLlIe3KeBpwnoc3V:gy1b0kXSPFVbsqHqleLzBBEPV
Threatray 30 similar samples on MalwareBazaar
TLSH T1A34523797361EC63F11EA13149429369F620FA3002700377B3B15FAEEA5B5875F62A8D
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 2703034b53031113 (1 x GuLoader)
Reporter jstrosch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
5
# of downloads :
299
Origin country :
US US
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
Invoices.xls
Verdict:
Malicious activity
Analysis date:
2023-12-21 11:16:05 UTC
Tags:
phishing phishing-xls opendir guloader loader exploit cve-2017-11882
Link:
https://app.any.run/tasks/9f682c91-3463-4069-adf6-0c295af4618a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468873/
Detection(s):
SecuriteInfo.com.FileRepMalware.11263.2787.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/658497656b1c24604600347c/reports/eb947803-1bf7-4c2b-a47a-c546291041b7/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a1b72731ababb98a1ef377943d1995a6cb5860585d8e3573db27c095aa28c04a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/757e5912-6b15-4b36-b14f-b4c0decadeee
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365822
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365822 Sample: file.exe Startdate: 21/12/2023 Architecture: WINDOWS Score: 100 47 www.zenithdash.xyz 2->47 49 www.synergyinnovationgroup.com 2->49 51 5 other IPs or domains 2->51 57 Snort IDS alert for network traffic 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 65 3 other signatures 2->65 12 file.exe 12 47 2->12         started        signatures3 63 Performs DNS queries to domains with low reputation 47->63 process4 file5 37 C:\Users\user\AppData\...\Affictbr.For, data 12->37 dropped 39 C:\Users\user\AppData\Local\...\nsx52BE.tmp, data 12->39 dropped 15 powershell.exe 12 12->15         started        process6 signatures7 77 Suspicious powershell command line found 15->77 79 Very long command line found 15->79 81 Found suspicious powershell code related to unpacking or dynamic code loading 15->81 18 powershell.exe 15 15->18         started        21 conhost.exe 15->21         started        process8 signatures9 55 Writes to foreign memory regions 18->55 23 wab.exe 6 18->23         started        process10 dnsIp11 53 synergyinnovationgroup.com 65.60.36.22, 443, 49734 SINGLEHOP-LLCUS United States 23->53 67 Maps a DLL or memory area into another process 23->67 27 iZmmDMdaOrMdkZNc.exe 23->27 injected signatures12 process13 process14 29 auditpol.exe 13 27->29         started        signatures15 69 Tries to steal Mail credentials (via file / registry access) 29->69 71 Tries to harvest and steal browser information (history, passwords, etc) 29->71 73 Writes to foreign memory regions 29->73 75 3 other signatures 29->75 32 iZmmDMdaOrMdkZNc.exe 29->32 injected 35 firefox.exe 29->35         started        process16 dnsIp17 41 www.caffleoraret.cyou 109.123.121.243, 49741, 49742, 49743 UK2NET-ASGB United Kingdom 32->41 43 www.zenithdash.xyz 162.0.225.191, 49745, 49746, 49747 NAMECHEAP-NETUS Canada 32->43 45 2 other IPs or domains 32->45
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a1b72731ababb98a1ef377943d1995a6cb5860585d8e3573db27c095aa28c04a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1b72731ababb98a1ef377943d1995a6cb5860585d8e3573db27c095aa28c04a/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2023-12-21 11:50:37 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
7 of 37 (18.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ug3somnlvo4yuhxto6kd2gmvu3fvqycylwhdk463e7ajlkriybfa._file
Verdict:
malicious
Similar samples:
0c676c2e5e20df05118d77d43abdf26828b2780b06886831a705483432b86e78
GuLoader
17a3293a002eb2a940c7face62fccf977cd1ac97714c0c77d344c6948997a4fa
GuLoader
2051138003c024d619292ea1a12d0b813946bc88d885d8a1c49478804acb2d92
GuLoader
405c6ef30357c9ef5c53787a35f2c20c3311d835eb2d15f61038005efcd19c3c
GuLoader
7b69d0fb7c60cf96272495a946d4311420aa406c477d6c85a002f487bd67531d
GuLoader
d0162a86e38114d2aeb0530bfca4d939cd4d15e5cc35d50cb64c20123f0f3204
GuLoader
e028ec06b305b12ae0084a95ff95118dfc97c1870337742446d6981951119c16
GuLoader
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231221-yldzlsebg9/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
a1b72731ababb98a1ef377943d1995a6cb5860585d8e3573db27c095aa28c04a
MD5 hash:
2a5536e277d7c71bd7a8fd7b1ffd7afd
SHA1 hash:
63f999f7b8eeee207546b08a69b54b5ac13753ff
Link:
https://www.unpac.me/results/958a8773-71ec-46c4-b8bf-b1211e8c9fdd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1b72731ababb98a1ef377943d1995a6cb5860585d8e3573db27c095aa28c04a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe a1b72731ababb98a1ef377943d1995a6cb5860585d8e3573db27c095aa28c04a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2742117/
Cape
Cape
https://www.capesandbox.com/analysis/468873/

Comments