MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4d2e40296ddd8f6127f9d2ba3703b134fee350602ee9c90f6d73737a2186a86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4d2e40296ddd8f6127f9d2ba3703b134fee350602ee9c90f6d73737a2186a86
SHA3-384 hash: 86808071400ad3b547d7c383c97681df9e1337434866683005df3f72dc9ade6dc15e0979a19745a171180ca681702d98
SHA1 hash: e5f07157885a949ee3079ff373c5c194fef68b3d
MD5 hash: 237ae9c41e2c59267fd4292a92d253fd
humanhash: uncle-cardinal-king-lemon
File name:rOrder_1520570_xlxs_z.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:575'847 bytes
First seen:2023-08-26 11:59:58 UTC
Last seen:2023-09-04 14:15:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (385 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep 12288:f+u5SE/1IOWcV5SwtLp8d1uLIWFmvySIeWp+PuXE9MI7SuE4jXn:xcEdzhSwtLpU1iIySc09MDL4jXn
Threatray 2'990 similar samples on MalwareBazaar
TLSH T193C423517380E92FC9254376C26659F1EBB55E02D2229D470713BE887EF71A28E3F293
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter FXOLabs
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
329
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
rOrder_1520570_xlxs_z.exe
Verdict:
Malicious activity
Analysis date:
2023-08-26 12:01:14 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/4246e4a3-320b-4a2c-bf61-4c09303baf3b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.NSIS.Injector.ASH.162271.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108675/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64e9e9485ec4a86232610099/reports/db846e94-4def-4a2d-935b-d5bc9858e51e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b4d2e40296ddd8f6127f9d2ba3703b134fee350602ee9c90f6d73737a2186a86
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/673ba012-a722-4c64-863f-023820d7aed4
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1297830
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1297830 Sample: rOrder_1520570_xlxs_z.exe Startdate: 26/08/2023 Architecture: WINDOWS Score: 100 64 www.utromz.online 2->64 66 www.ukgpay.top 2->66 68 24 other IPs or domains 2->68 86 Snort IDS alert for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 12 other signatures 2->92 11 rOrder_1520570_xlxs_z.exe 3 48 2->11         started        signatures3 process4 file5 62 C:\Users\user\AppData\Local\...\System.dll, PE32 11->62 dropped 120 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->120 122 Tries to detect Any.run 11->122 15 rOrder_1520570_xlxs_z.exe 6 11->15         started        signatures6 process7 dnsIp8 76 192.3.179.161, 49768, 49781, 80 AS-COLOCROSSINGUS United States 15->76 78 Modifies the context of a thread in another process (thread injection) 15->78 80 Tries to detect Any.run 15->80 82 Maps a DLL or memory area into another process 15->82 84 2 other signatures 15->84 19 explorer.exe 11 8 15->19 injected signatures9 process10 dnsIp11 70 www.retirement-villages-78880.bond 185.53.179.94, 49776, 80 TEAMINTERNET-ASDE Germany 19->70 72 www.beautiqui.shop 158.176.194.183, 49773, 80 SOFTLAYERUS United States 19->72 74 10 other IPs or domains 19->74 52 C:\Users\user\AppData\...\0jfd4bnzropm.exe, PE32 19->52 dropped 104 System process connects to network (likely due to code injection or exploit) 19->104 106 Benign windows process drops PE files 19->106 24 svchost.exe 1 18 19->24         started        28 0jfd4bnzropm.exe 36 19->28         started        30 0jfd4bnzropm.exe 36 19->30         started        32 raserver.exe 19->32         started        file12 signatures13 process14 file15 54 C:\Users\user\AppData\...\3MOlogrv.ini, data 24->54 dropped 56 C:\Users\user\AppData\...\3MOlogri.ini, data 24->56 dropped 108 Detected FormBook malware 24->108 110 Tries to steal Mail credentials (via file / registry access) 24->110 112 Tries to harvest and steal browser information (history, passwords, etc) 24->112 118 4 other signatures 24->118 34 cmd.exe 2 24->34         started        38 firefox.exe 1 24->38         started        40 cmd.exe 1 24->40         started        58 C:\Users\user\AppData\Local\...\System.dll, PE32 28->58 dropped 114 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->114 116 Tries to detect Any.run 28->116 42 0jfd4bnzropm.exe 6 28->42         started        60 C:\Users\user\AppData\Local\...\System.dll, PE32 30->60 dropped signatures16 process17 file18 48 C:\Users\user\AppData\Local\Temp\DB1, SQLite 34->48 dropped 94 Tries to harvest and steal browser information (history, passwords, etc) 34->94 44 conhost.exe 34->44         started        50 C:\Users\user\AppData\...\3MOlogrf.ini, data 38->50 dropped 46 conhost.exe 40->46         started        96 Modifies the context of a thread in another process (thread injection) 42->96 98 Tries to detect Any.run 42->98 100 Maps a DLL or memory area into another process 42->100 102 Sample uses process hollowing technique 42->102 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4d2e40296ddd8f6127f9d2ba3703b134fee350602ee9c90f6d73737a2186a86/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-22 18:53:05 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtjoiauw3xmpmet7tuv2g4b3cnh64nigalxjzehw243tpiqynkda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
0c2bfa1c8975deb05bc6fe48971ddf533e6649f27a34c34b4f42637e4ec8bc5e
GuLoader
0ee071fe8e2ee30d76e10af8bd67de6841332d430e65eb7268387fedd7fa1a48
GuLoader
190090b95e7c9b2410ceb2149bb1c4369550963e56693e331bda3d020a0018e2
GuLoader
2a8783a8fa5d2994fdce8d2bce2aeb59434d13534e9f13ccae8de38f72f0798f
GuLoader
3fc300b0b16fefb8d0dc08f09803d7dbff6be6ea2a4c87833fb285499a3fc6f0
GuLoader
40f5c4cf3de1461b42dc81ddaf6bf3c1956d27e85773d8828e798b79402e6e13
GuLoader
4a85949b7ffe19e22e4191b55b225cb3ac8b59246785144f585006b94e9ba574
GuLoader
4baf37305afca03942dfd3f13c173cd45d587cd358adde2b6f1596fc761eaae2
GuLoader
5032142ba20b1c3203fb0b6c8c5f6d52c4546b233b3d11b885b4296e4887d6a8
GuLoader
ca92353954eb428f99d73b11f26650f1ed59df39a99a04d45552c8b9ba4e1459
GuLoader
+ 2'980 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:ml21 downloader rat spyware stealer trojan
Link:
https://tria.ge/reports/230826-n6bd4shh96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Deletes itself
Loads dropped DLL
Formbook payload
Formbook
Guloader,Cloudeye
Unpacked files
SH256 hash:
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
MD5 hash:
a4dd044bcd94e9b3370ccf095b31f896
SHA1 hash:
17c78201323ab2095bc53184aa8267c9187d5173
Link:
https://www.unpac.me/results/b7054d24-f35c-44c9-ad29-f6714ea9a269/
SH256 hash:
b4d2e40296ddd8f6127f9d2ba3703b134fee350602ee9c90f6d73737a2186a86
MD5 hash:
237ae9c41e2c59267fd4292a92d253fd
SHA1 hash:
e5f07157885a949ee3079ff373c5c194fef68b3d
Link:
https://www.unpac.me/results/b7054d24-f35c-44c9-ad29-f6714ea9a269/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b4d2e40296dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4d2e40296ddd8f6127f9d2ba3703b134fee350602ee9c90f6d73737a2186a86

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe b4d2e40296ddd8f6127f9d2ba3703b134fee350602ee9c90f6d73737a2186a86

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments