MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2b5ddc4640236c4a5e09ae3418a1243d2ab37fc787999f8a3f8a3ec1f7deece. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2b5ddc4640236c4a5e09ae3418a1243d2ab37fc787999f8a3f8a3ec1f7deece
SHA3-384 hash: 74a3a475468492082d9a2176f0c1a6617defd6de58ff35a126b7420d7e4644e6e294a3b62d2fe3de448911bb313e8893
SHA1 hash: 63b9bd268ba0ce2b98c6cf134616137f3ce928cc
MD5 hash: e07871d715a7adf70c2fc37226e63363
humanhash: nevada-oranges-spring-green
File name:Pago-202301204008.pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:971'999 bytes
First seen:2023-04-12 13:45:25 UTC
Last seen:2023-04-12 14:02:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (385 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep 24576:gtGv1mBkd10lGzi77fgk50cV6u+0JZzwnOgbJuZ1:gQt3QGCVP+iZzwnFo7
Threatray 569 similar samples on MalwareBazaar
TLSH T1E825CF17E1608A97CD6143F03523B364D3E6AEBCB859395A99B0333FA0B59879E3350D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b0ce2e2733b1bc9a (2 x GuLoader)
Reporter malwarelabnet
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pago-202301204008.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-12 13:46:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/97bd2b36-f2b3-4887-a7f9-fa48f98f80b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381841/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77621/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6436b61a52b6494cf6a68a42/reports/0271d25e-0194-4148-a9ca-83625c62c731/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a2b5ddc4640236c4a5e09ae3418a1243d2ab37fc787999f8a3f8a3ec1f7deece
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/af7d19ab-6cb4-4cd8-9831-ab5df87cc76f
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1212612
Signature
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 845541 Sample: Pago-202301204008.pdf.exe Startdate: 12/04/2023 Architecture: WINDOWS Score: 96 34 Snort IDS alert for network traffic 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 3 other signatures 2->40 7 Pago-202301204008.pdf.exe 1 25 2->7         started        process3 file4 22 C:\Users\user\...\Unchaptered.Gul, data 7->22 dropped 24 C:\Users\user\...\ldif60.dll, PE32 7->24 dropped 26 C:\Users\user\...\System.Web.dll, PE32 7->26 dropped 28 C:\Users\user\AppData\Local\...\System.dll, PE32 7->28 dropped 42 Writes to foreign memory regions 7->42 44 Tries to detect Any.run 7->44 11 CasPol.exe 1 15 7->11         started        16 CasPol.exe 7->16         started        18 CasPol.exe 7->18         started        signatures5 process6 dnsIp7 32 45.81.243.83, 49842, 80 LVLT-10753US Germany 11->32 30 C:\Users\user\AppData\Roaming\...\MARY.exe, PE32 11->30 dropped 46 Tries to detect Any.run 11->46 20 conhost.exe 11->20         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2b5ddc4640236c4a5e09ae3418a1243d2ab37fc787999f8a3f8a3ec1f7deece/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-04-12 12:51:11 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uk253rdeai3mjjpatlrudcqsipjkwn74pb4zt6fd7cr6yh3553ha._file
Verdict:
unknown
Similar samples:
3d715fab1455552a0c842dc9666ccb29d2c85522c38487d86bb861416d1cdaed
GuLoader
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
GuLoader
55beb416633c883379bf87ea17c16fd389ef84e9c1b0b469df01fc2e5742f3c4
GuLoader
5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599
GuLoader
5d0c5b1a7131a3e3ec0fd0ccff7b97b6edb3dc8c43fed4d3e314a7b866d35325
GuLoader
a43a0cacbfaf5aa649acc0d29ce25855ea92c50af2729f30c5f2ecfad376ef4d
GuLoader
c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d
GuLoader
ef56f8c0615d059de3d0f669b651d38caf535155878ff4bc7d1b1a62abd45213
GuLoader
ff235029990af0449ce8f82c5546dfe37170d5e27ce1a22b0a43965a980344be
GuLoader
+ 559 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230412-q2ypyseb3x/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
Unpacked files
SH256 hash:
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
MD5 hash:
17ed1c86bd67e78ade4712be48a7d2bd
SHA1 hash:
1cc9fe86d6d6030b4dae45ecddce5907991c01a0
Link:
https://www.unpac.me/results/ab092d62-0c1a-411a-a2fd-1d593a02b33a/
SH256 hash:
a2b5ddc4640236c4a5e09ae3418a1243d2ab37fc787999f8a3f8a3ec1f7deece
MD5 hash:
e07871d715a7adf70c2fc37226e63363
SHA1 hash:
63b9bd268ba0ce2b98c6cf134616137f3ce928cc
Link:
https://www.unpac.me/results/ab092d62-0c1a-411a-a2fd-1d593a02b33a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2b5ddc4640236c4a5e09ae3418a1243d2ab37fc787999f8a3f8a3ec1f7deece

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/381841/

Comments