MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b923011216d37106f2f497f12097ecd3412caca89edee1a49e8090b94344a310. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b923011216d37106f2f497f12097ecd3412caca89edee1a49e8090b94344a310
SHA3-384 hash: 44e5dcdbfa3d13020d00d12a62b350c870f915f39d516510eb222d42503f22b99e567ca03740c253877f5eb49caab78f
SHA1 hash: 23b477810f258963e62458ed02e82c58c8c00adc
MD5 hash: 4103a2b04ede0d36e5079f6799cdfa14
humanhash: eight-uranus-juliet-march
File name:4103a2b04ede0d36e5079f6799cdfa14
Download: download sample
Signature GuLoader
Create hunting rule
File size:101'736 bytes
First seen:2021-09-08 12:04:03 UTC
Last seen:2021-09-08 18:27:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 000ed791bfecbc3bb69fb230428c55f9 (8 x GuLoader)
ssdeep 1536:ND6lvtwb+xf5+DHztjos4Jmmq9vwzYxaIVUDqeMk3:N+twbk5+ZYmmqRnVU2eMk3
TLSH T158A36DB235E97C82EFC1C5F205FE41AD08569CF21BDAAB073898267C0E1BA94FF52515
dhash icon f87ececececece0c (10 x GuLoader)
Reporter zbetcheckin
Tags:32 exe GuLoader signed

Code Signing Certificate

Organisation:admissi
Issuer:admissi
Algorithm:sha256WithRSAEncryption
Valid from:2021-09-07T08:42:29Z
Valid to:2022-09-07T08:42:29Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: c511c43ba5608700b11d55d791a0c31db21a30251d72e7af866afcfefbf8f283
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Swift ref. 0000378062021.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-08 10:56:01 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/23c3ee38-82d1-4611-bd7f-4d64b7393816

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186336/
Detection(s):
SecuriteInfo.com.Trojan.VbCrypt.2331.7958.26385.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53259b4e-592e-4d43-860c-a3c80ccfcefa
Result
Threat name:
GuLoader Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/847362
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 479789 Sample: X4lLneI8ZK.exe Startdate: 08/09/2021 Architecture: WINDOWS Score: 100 31 smdglo.xyz 2->31 33 prda.aadg.msidentity.com 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 6 other signatures 2->47 9 X4lLneI8ZK.exe 1 2->9         started        signatures3 process4 signatures5 49 Self deletion via cmd delete 9->49 51 Tries to detect Any.run 9->51 53 Tries to detect virtualization through RDTSC time measurements 9->53 55 Hides threads from debuggers 9->55 12 X4lLneI8ZK.exe 67 9->12         started        process6 dnsIp7 35 smdglo.xyz 31.210.20.16, 49820, 49821, 80 PLUSSERVER-ASN1DE Netherlands 12->35 37 googlehosted.l.googleusercontent.com 142.251.36.1, 443, 49819 GOOGLEUS United States 12->37 39 2 other IPs or domains 12->39 23 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->23 dropped 25 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 12->25 dropped 27 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 12->27 dropped 29 45 other files (none is malicious) 12->29 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->57 59 Tries to steal Instant Messenger accounts or passwords 12->59 61 Tries to steal Mail credentials (via file access) 12->61 63 7 other signatures 12->63 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b923011216d37106f2f497f12097ecd3412caca89edee1a49e8090b94344a310/
Threat name:
Win32.Trojan.VBObfuse
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 21:30:59 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210908-n8mvxshfbm/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
b923011216d37106f2f497f12097ecd3412caca89edee1a49e8090b94344a310
MD5 hash:
4103a2b04ede0d36e5079f6799cdfa14
SHA1 hash:
23b477810f258963e62458ed02e82c58c8c00adc
Link:
https://www.unpac.me/results/93d5b01e-217d-4466-9386-2884ccdf095a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b923011216d37106f2f497f12097ecd3412caca89edee1a49e8090b94344a310

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe b923011216d37106f2f497f12097ecd3412caca89edee1a49e8090b94344a310

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1602368/
Cape
Cape
https://www.capesandbox.com/analysis/186336/

Comments


Avatar
zbet commented on 2021-09-08 12:04:04 UTC

url : hxxp://192.3.141.149/xpay/BIN.exe