MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a65d60a0e83a78f2a7c81f0b867a727dccdaafc47485e7c5196563d9dcfe6328. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a65d60a0e83a78f2a7c81f0b867a727dccdaafc47485e7c5196563d9dcfe6328
SHA3-384 hash: 3f791a226e05d71d7f6c36b2f0e7fdcef9fe64adc018a9e6937a745574d16947018918fed2aa9119ae7d2e87a0cb37b8
SHA1 hash: d3530ca6a23dfef0bc21669b8eec294d39f43b7c
MD5 hash: db891aecc32f2fde30f77e91b3c16c7c
humanhash: india-mexico-pennsylvania-pip
File name:Pagos.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:384'420 bytes
First seen:2023-07-25 13:58:34 UTC
Last seen:2023-07-25 14:34:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (277 x GuLoader, 44 x RemcosRAT, 39 x VIPKeylogger)
ssdeep 6144:zMm4CC4ksM11D7OZirD3UHQlOGCIiX4S3kBg9FrOnIJw1HTnpO/unR4dj:zMwxks01OssGCIiISUBg9wV7k/6RYj
Threatray 1'039 similar samples on MalwareBazaar
TLSH T1658412A1B922C1ABC65142B12832D9BB6FE39F15D9580F1B63493F4F793C7D2848F612
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 020375d60608ae06 (6 x GuLoader)
Reporter James_inthe_box
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pagos.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-25 14:01:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/534e2e4d-4ee5-4809-bf4e-6d5f0f4e27fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/432226/
Detection(s):
SecuriteInfo.com.Trojan.Garf.Gen.14.20315.21208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/a65d60a0e83a78f2a7c81f0b867a727dccdaafc47485e7c5196563d9dcfe6328
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/03ac4191-6d68-4fbf-a3bd-1d727d65ba8f
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279226
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1279226 Sample: Pagos.exe Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 32 www.yokaiph.store 2->32 34 www.wsaas.agency 2->34 36 21 other IPs or domains 2->36 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 6 other signatures 2->56 10 Pagos.exe 2 38 2->10         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\System.dll, PE32 10->30 dropped 68 Tries to detect Any.run 10->68 14 Pagos.exe 6 10->14         started        signatures6 process7 dnsIp8 44 googlehosted.l.googleusercontent.com 142.250.181.225, 443, 50272 GOOGLEUS United States 14->44 46 drive.google.com 216.58.212.174, 443, 50271 GOOGLEUS United States 14->46 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Tries to detect Any.run 14->72 74 Maps a DLL or memory area into another process 14->74 76 Queues an APC in another process (thread injection) 14->76 18 RAVCpl64.exe 14->18 injected signatures9 process10 signatures11 48 Sample uses process hollowing technique 18->48 21 ipconfig.exe 13 18->21         started        process12 signatures13 58 Tries to steal Mail credentials (via file / registry access) 21->58 60 Tries to harvest and steal browser information (history, passwords, etc) 21->60 62 Writes to foreign memory regions 21->62 64 3 other signatures 21->64 24 explorer.exe 2 1 21->24 injected 28 firefox.exe 21->28         started        process14 dnsIp15 38 www.yokaiph.store 185.27.134.59, 50304, 50305, 50306 WILDCARD-ASWildcardUKLimitedGB United Kingdom 24->38 40 cvanalysiswithai.com 67.20.76.62, 50308, 50309, 50310 UNIFIEDLAYER-AS-1US United States 24->40 42 14 other IPs or domains 24->42 66 System process connects to network (likely due to code injection or exploit) 24->66 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a65d60a0e83a78f2a7c81f0b867a727dccdaafc47485e7c5196563d9dcfe6328/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 12:55:21 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzowbihihj4pfj6id4fym6tspxgnvl6eosc6prizmvr5txh6mmua._file
Verdict:
unknown
Similar samples:
12d7296fa8ee95861d67877223842af8b28608bc8ea32cdff1c269701da3727e
GuLoader
14ac214aee66557d77577da7211f5fa6476753b38ff8b40738c660a88c8ffd35
GuLoader
1d8ffbf2a386718acac9f307a0b0315be1831b7a3407aeed7cd4b510db02a72c
GuLoader
3dc7db596de22ffac1c2d38a52dcae0267c816812acde74cf7cf57b219d40f11
GuLoader
46eeb436a29d74d779e09058eb574f83903c09c31706791288842640ddd94052
GuLoader
7a08e064522b59f7198565d2437e6c1347837fc3bb0ddb2077e358d061160484
GuLoader
99db3b5192d77a3db297df19db4e486c3af98416b0c023720fa2f3e88d6086cf
GuLoader
c36591c7c0ef136b66dcf2955035ffc43ccd7fa6d6ce8c65f747dbe0aff7814e
GuLoader
ea70b9979a341160863f08becfdeb80c64450b37521dbbd6341cd4b88248a65d
GuLoader
ec9d091c881ad4da6f5e77f947c2723b1aa374fbf373931871c767dfb9cabb0e
GuLoader
+ 1'029 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/230725-radq5scg69/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
MD5 hash:
6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 hash:
070ea80e2192abc42f358d47b276990b5fa285a9
Link:
https://www.unpac.me/results/6dfbb936-38b2-46d2-a873-9c1bcb26e97d/
SH256 hash:
a65d60a0e83a78f2a7c81f0b867a727dccdaafc47485e7c5196563d9dcfe6328
MD5 hash:
db891aecc32f2fde30f77e91b3c16c7c
SHA1 hash:
d3530ca6a23dfef0bc21669b8eec294d39f43b7c
Link:
https://www.unpac.me/results/6dfbb936-38b2-46d2-a873-9c1bcb26e97d/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a65d60a0e83a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a65d60a0e83a78f2a7c81f0b867a727dccdaafc47485e7c5196563d9dcfe6328

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/432226/

Comments