MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1a4c8e9a6fc55b72e34607c5101ae8440b2fe9826cfb80afa0c6dac9ccd45c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1a4c8e9a6fc55b72e34607c5101ae8440b2fe9826cfb80afa0c6dac9ccd45c1
SHA3-384 hash: f50866ef295ed7980562fadcc6f81d00cad361a38a9dfacbb787bd9a1d20e7e88ed81f6f2307558720ef9b3a1256ea43
SHA1 hash: 93cf03f66c4eb92787c6a1545a097c16ff51e254
MD5 hash: c2d3fae14da7e7e882436884b2953a51
humanhash: mirror-london-south-twelve
File name:Paid Invoices.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:929'608 bytes
First seen:2023-12-12 13:28:59 UTC
Last seen:2023-12-12 15:29:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ed0d71376e55d58ab36dc7d3ffda898 (133 x GuLoader, 28 x RemcosRAT, 23 x AgentTesla)
ssdeep 12288:lkucQ4FU1Fiij0G/CZporo1fNQdkf1r/ls16z61vIWwxY7HfUld+zFLamID1Eq:qbUjjbepo7dQ1rtssuBpwLd+zFLD2T
TLSH T1021523244DF1D4CAD5469131EEBDF5A28DABBE5399222D1E0F103B4A2033387953FA6D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0609c92327303d2c (1 x GuLoader)
Reporter malwarelabnet
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:macrli
Issuer:macrli
Algorithm:sha256WithRSAEncryption
Valid from:2023-08-16T10:18:33Z
Valid to:2026-08-15T10:18:33Z
Serial number: 321b63e4b645a7a76c31113e50bb9bec08a02554
Thumbprint Algorithm:SHA256
Thumbprint: c6555cc0fab8419b05133e144aa607b2b5200c0249fdbc008de6844c9f12b6ef
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
CA CA
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/466390/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.4010.19760.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Launching a process
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/657860273636548f374cb88d/reports/82beed86-3902-4135-8e22-74b0edfbc77e/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/b1a4c8e9a6fc55b72e34607c5101ae8440b2fe9826cfb80afa0c6dac9ccd45c1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd7a754a-b7f7-447f-b33a-fb9426f3a5f7
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1360146
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1360146 Sample: Paid_Invoices.exe Startdate: 12/12/2023 Architecture: WINDOWS Score: 100 49 www.transportheaven.com 2->49 51 www.nrdz.life 2->51 53 20 other IPs or domains 2->53 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 Yara detected FormBook 2->73 75 2 other signatures 2->75 12 Paid_Invoices.exe 2 29 2->12         started        15 ImagingDevices.exe 2 2->15         started        signatures3 process4 file5 47 C:\Users\user\AppData\...ftertankerne.Aut, data 12->47 dropped 17 powershell.exe 12 12->17         started        20 ImagingDevices.exe 15->20         started        process6 signatures7 63 Suspicious powershell command line found 17->63 65 Very long command line found 17->65 67 Found suspicious powershell code related to unpacking or dynamic code loading 17->67 22 powershell.exe 15 17->22         started        25 conhost.exe 17->25         started        process8 signatures9 77 Writes to foreign memory regions 22->77 27 ImagingDevices.exe 6 22->27         started        31 wab.exe 22->31         started        33 wab.exe 22->33         started        35 9 other processes 22->35 process10 dnsIp11 61 dealeadz.com 69.49.229.22, 443, 49714 UNIFIEDLAYER-AS-1US United States 27->61 87 Maps a DLL or memory area into another process 27->87 89 Hides threads from debuggers 27->89 37 pSthlqmZTPAaajsdrPk.exe 27->37 injected signatures12 process13 process14 39 verclsid.exe 1 13 37->39         started        signatures15 79 Tries to steal Mail credentials (via file / registry access) 39->79 81 Tries to harvest and steal browser information (history, passwords, etc) 39->81 83 Writes to foreign memory regions 39->83 85 3 other signatures 39->85 42 pSthlqmZTPAaajsdrPk.exe 39->42 injected 45 firefox.exe 39->45         started        process16 dnsIp17 55 www.apexpion.club 203.161.62.199, 49742, 49743, 49744 VNPT-AS-VNVNPTCorpVN Malaysia 42->55 57 www.weber-e-store.com 91.195.240.117, 49715, 49754, 49755 SEDO-ASDE Germany 42->57 59 9 other IPs or domains 42->59
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b1a4c8e9a6fc55b72e34607c5101ae8440b2fe9826cfb80afa0c6dac9ccd45c1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1a4c8e9a6fc55b72e34607c5101ae8440b2fe9826cfb80afa0c6dac9ccd45c1/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 09:35:22 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgsmr2ng7rk3olrumb6fcanoqralf7uye3h3qcx2brw2zhgnixaq._file
Verdict:
malicious
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/231212-qq8qsadfcl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Guloader,Cloudeye
Unpacked files
SH256 hash:
b1a4c8e9a6fc55b72e34607c5101ae8440b2fe9826cfb80afa0c6dac9ccd45c1
MD5 hash:
c2d3fae14da7e7e882436884b2953a51
SHA1 hash:
93cf03f66c4eb92787c6a1545a097c16ff51e254
Link:
https://www.unpac.me/results/2c0212cc-279f-45b2-96d5-9a3bab678b67/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b1a4c8e9a6fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b1a4c8e9a6fc55b72e34607c5101ae8440b2fe9826cfb80afa0c6dac9ccd45c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/466390/

Comments