MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4bdfb7869d435589479e095b8d0c9c2b8f987bd3a8c961424376f18c31c650f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4bdfb7869d435589479e095b8d0c9c2b8f987bd3a8c961424376f18c31c650f
SHA3-384 hash: 9a09a9ec6f9f5a5383b5e154f87d63f9a4fe370527269447e3632d78cf4d8ec71afb35c83564ed3a20212c146bb9bd88
SHA1 hash: 07b3b8a0e9008e459bd7ba727dd8380320dbc5ad
MD5 hash: c5bf732066ab84d1abba5b27638a5191
humanhash: florida-xray-freddie-speaker
File name:SecuriteInfo.com.Variant.FakeAlert.2.24488.8627
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'490'944 bytes
First seen:2022-05-27 02:36:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a2a662be9dffc461398e7c94d0b55b4 (5 x GuLoader, 3 x CoinMiner, 3 x RedLineStealer)
ssdeep 24576:Nso5AJseqW68ZKg1gYLCh3JgzRQJHhrbMDEVuI2N1q:Nso5AJs+gYGh3JfEwVu4
TLSH T16F65BE88E9CEA255E81B9774E33DCC3851116D6EACF8184C6CCA7E2337773A6452B631
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter SecuriteInfoCom
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.FakeAlert.2.24488.8627
Verdict:
Malicious activity
Analysis date:
2022-05-27 02:37:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/30a3cbfb-237a-4641-a2a2-5f076752152f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274871/
Detection(s):
SecuriteInfo.com.Variant.FakeAlert.2.24488.8627.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Moving a recently created file
Sending a custom TCP request
Moving a file to the %temp% directory
Modifying an executable file
DNS request
Sending an HTTP GET request
Sending a UDP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/352c270c-3fa1-4d4f-ada8-2c741208dc56
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1002443
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Drops PE files to the document folder of the user
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 634939 Sample: SecuriteInfo.com.Variant.Fa... Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic 2->69 71 Found malware configuration 2->71 73 Antivirus detection for URL or domain 2->73 75 8 other signatures 2->75 9 SecuriteInfo.com.Variant.FakeAlert.2.24488.exe 1 2->9         started        13 Synaptics.exe 2->13         started        15 EXCEL.EXE 2->15         started        process3 file4 61 C:\Users\user\AppData\...\uniformerede.exe, PE32 9->61 dropped 95 Antivirus detection for dropped file 9->95 97 Machine Learning detection for dropped file 9->97 99 Adds a directory exclusion to Windows Defender 9->99 17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        signatures5 process6 signatures7 22 uniformerede.exe 1 5 17->22         started        26 conhost.exe 17->26         started        77 Adds a directory exclusion to Windows Defender 19->77 28 powershell.exe 25 19->28         started        30 powershell.exe 24 19->30         started        32 conhost.exe 19->32         started        process8 file9 55 C:\ProgramData\Synaptics\Synaptics.exe, PE32 22->55 dropped 57 C:\ProgramData\Synaptics\RCXCD96.tmp, PE32 22->57 dropped 59 C:\Users\user\...\._cache_uniformerede.exe, PE32 22->59 dropped 89 Antivirus detection for dropped file 22->89 91 Machine Learning detection for dropped file 22->91 93 Contains functionality to detect sleep reduction / modifications 22->93 34 Synaptics.exe 51 22->34         started        39 ._cache_uniformerede.exe 6 29 22->39         started        signatures10 process11 dnsIp12 63 docs.google.com 172.217.168.14, 443, 49736, 49737 GOOGLEUS United States 34->63 65 freedns.afraid.org 69.42.215.252, 49739, 80 AWKNET-LLCUS United States 34->65 67 xred.mooo.com 34->67 45 C:\Users\user\Documents\DUUDTUBZFW\~$cache1, PE32 34->45 dropped 47 SecuriteInfo.com.V...keAlert.2.24488.exe, PE32 34->47 dropped 49 C:\Users\user\AppData\Local\...\YC9w8Aif.exe, PE32 34->49 dropped 53 2 other malicious files 34->53 dropped 79 Antivirus detection for dropped file 34->79 81 Drops PE files to the document folder of the user 34->81 83 Machine Learning detection for dropped file 34->83 85 Contains functionality to detect sleep reduction / modifications 34->85 41 WerFault.exe 34->41         started        43 WerFault.exe 34->43         started        51 C:\Users\user\AppData\Local\...\System.dll, PE32 39->51 dropped 87 Tries to detect virtualization through RDTSC time measurements 39->87 file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4bdfb7869d435589479e095b8d0c9c2b8f987bd3a8c961424376f18c31c650f/
Threat name:
Win32.Trojan.APost
Create hunting rule
Status:
Malicious
First seen:
2022-05-27 00:00:14 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=us67w6dj2q2vrfdz4ck3rugjyk4ptb55hkgjmfbeg5xrrqy4muhq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader persistence
Link:
https://tria.ge/reports/220527-c35yrsgdh7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Guloader,Cloudeye
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/b3d40cc1-ea8e-42b0-acd0-4db4bf09e82b/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/b3d40cc1-ea8e-42b0-acd0-4db4bf09e82b/
SH256 hash:
539fac45388535d73b362a1aaf200b6a8c28b6e033866f55654b8d6da7b83eb3
MD5 hash:
1e0e7980f97392494bd55be1cf96e2a0
SHA1 hash:
5c627f21418e800e277e561f62a8c85a31e4f89c
Link:
https://www.unpac.me/results/b3d40cc1-ea8e-42b0-acd0-4db4bf09e82b/
SH256 hash:
8b0667ec191e96c251fce90fd0deeccc09f1024f78faf78b9ff32ded8b7cbb3d
MD5 hash:
fedad1adec8a1d90444051b5bdc6445d
SHA1 hash:
41ad10ee96250d8186d02e3d96923163cb664247
Link:
https://www.unpac.me/results/b3d40cc1-ea8e-42b0-acd0-4db4bf09e82b/
SH256 hash:
a4bdfb7869d435589479e095b8d0c9c2b8f987bd3a8c961424376f18c31c650f
MD5 hash:
c5bf732066ab84d1abba5b27638a5191
SHA1 hash:
07b3b8a0e9008e459bd7ba727dd8380320dbc5ad
Link:
https://www.unpac.me/results/b3d40cc1-ea8e-42b0-acd0-4db4bf09e82b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4bdfb7869d435589479e095b8d0c9c2b8f987bd3a8c961424376f18c31c650f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274871/

Comments