MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aef53177b5c335884d1ad5d424ecdc989a7aa24e6b14f156ce3a909453412aae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aef53177b5c335884d1ad5d424ecdc989a7aa24e6b14f156ce3a909453412aae
SHA3-384 hash: d3cbde739055faa4f2fc99dcc69aecda3db73ca33192a69b7dd36465bae3bf6ae9e62b9ae2b92bbd0ccae17edfdb9312
SHA1 hash: 9981be8595b6643d7aae0fdc07cbd8a59dcdc74e
MD5 hash: adcc6f3486b4a41188ea03531cd2f90f
humanhash: summer-ten-steak-iowa
File name:Offer 4012654.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:346'208 bytes
First seen:2023-08-17 08:39:43 UTC
Last seen:2023-08-17 09:46:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d4b94e8ee3f620a89d114b9da4b31873 (90 x GuLoader, 18 x njrat, 9 x RemcosRAT)
ssdeep 6144:bqaFH+9jMuVefQp02NP8oCFCMDG7+CYplWLSeEDm0TWSuBY+K60:t50VefQp0iP83CMDGPYp8ODmTK60
Threatray 712 similar samples on MalwareBazaar
TLSH T1EE74F1B477249467C9BD0AB2F41B9DEE97B10FE084889B0633607E592C673C99C3D74A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f8fcbaee7aacc0 (2 x GuLoader, 1 x RemcosRAT)
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-09-11T04:55:14Z
Valid to:2025-09-10T04:55:14Z
Serial number: 3bb83c15f19e12a68d8dcf4f1d89064b5fa4cf9f
Thumbprint Algorithm:SHA256
Thumbprint: 3e43b6c39171a2dbe15f21f4d2c04279922ea365ef1cf1757ba0957d856e0619
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
275
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Offer 4012654.exe
Verdict:
No threats detected
Analysis date:
2023-08-17 08:40:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/571d87b7-7e98-46de-a1ff-cfbeb2dcf7eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443166/
Detection(s):
SecuriteInfo.com.Win32.SuspectCrc.17453.2852.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a file
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/103033/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64dddce3ac089eb81238f9dd/reports/20009c31-15c3-430b-a37b-6633d70788af/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/aef53177b5c335884d1ad5d424ecdc989a7aa24e6b14f156ce3a909453412aae
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e5f457ff-ddb9-4a88-a1fc-5ec50780763f
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1292647
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Found malware configuration
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1292647 Sample: Offer_4012654.exe Startdate: 17/08/2023 Architecture: WINDOWS Score: 100 30 geoplugin.net 2->30 44 Found malware configuration 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 6 other signatures 2->50 8 Offer_4012654.exe 1 27 2->8         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\System.dll, PE32 8->26 dropped 52 Detected unpacking (changes PE section rights) 8->52 54 Contains functionality to modify clipboard data 8->54 56 Tries to detect Any.run 8->56 58 Maps a DLL or memory area into another process 8->58 12 Offer_4012654.exe 3 15 8->12         started        signatures6 process7 dnsIp8 32 212.83.46.177, 2404, 49867, 49869 TTMDE Germany 12->32 34 geoplugin.net 178.237.33.50, 49868, 80 ATOM86-ASATOM86NL Netherlands 12->34 36 155.94.136.161, 49866, 80 ASN-QUADRANET-GLOBALUS United States 12->36 28 C:\ProgramData\remcos\logs.dat, data 12->28 dropped 60 Tries to detect Any.run 12->60 62 Maps a DLL or memory area into another process 12->62 64 Installs a global keyboard hook 12->64 17 Offer_4012654.exe 1 12->17         started        20 Offer_4012654.exe 1 12->20         started        22 Offer_4012654.exe 1 12->22         started        24 27 other processes 12->24 file9 signatures10 process11 signatures12 38 Tries to steal Instant Messenger accounts or passwords 17->38 40 Tries to steal Mail credentials (via file / registry access) 17->40 42 Tries to harvest and steal browser information (history, passwords, etc) 24->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aef53177b5c335884d1ad5d424ecdc989a7aa24e6b14f156ce3a909453412aae/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-17 07:37:07 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v32tc55vym2yqti22xkcj3g4tcnhvisonmkpcvwohkijiu2bfkxa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
GuLoader
5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599
GuLoader
65b9d65a82e6197a80a9214334c81d373440e12f53feb6896399647666c22792
GuLoader
723ff97e6559f6558c288ca693898592a21aab28c003883ca13b81667d7e3aef
GuLoader
9cd1b016ff9416679f96b8047284684816dc8dc5c61d698f2ff69a3d200477ca
GuLoader
ae7a2eab74a6dbeaa780094a1885f588405f0f8eda83910f14e22759d1f1b7aa
GuLoader
b09ed41c3a0e1a98d0035de279a32fa7e08e3eba69190b2cbf5f977301e58100
GuLoader
b5490460c53d27ef419898a98959bec49deb3ac3c3a8a23d63ce7dabe00af32e
GuLoader
f1efdace5d1171a1599ec3cdae2f3a508360d6e1c21cfb151749135ceeedc779
GuLoader
f7d5f219270af7750ec88e6bc13add921895d7bca13c58f596cfe86946ffae61
GuLoader
+ 702 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat spyware stealer
Link:
https://tria.ge/reports/230817-kkvzvagd76/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
212.83.46.177:2404
Unpacked files
SH256 hash:
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
MD5 hash:
ee260c45e97b62a5e42f17460d406068
SHA1 hash:
df35f6300a03c4d3d3bd69752574426296b78695
Link:
https://www.unpac.me/results/229e7581-ab4c-454d-b68f-50e950b382a8/
SH256 hash:
aef53177b5c335884d1ad5d424ecdc989a7aa24e6b14f156ce3a909453412aae
MD5 hash:
adcc6f3486b4a41188ea03531cd2f90f
SHA1 hash:
9981be8595b6643d7aae0fdc07cbd8a59dcdc74e
Link:
https://www.unpac.me/results/229e7581-ab4c-454d-b68f-50e950b382a8/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aef53177b5c3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/aef53177b5c335884d1ad5d424ecdc989a7aa24e6b14f156ce3a909453412aae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe aef53177b5c335884d1ad5d424ecdc989a7aa24e6b14f156ce3a909453412aae

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/443166/

Comments