MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
SHA3-384 hash: d3fa783cda6ce623ba4a97068e479fdf63de65cc31cd3a4dcca93fca08dc3e6e0d9bf956bfbb227152843a43de930db3
SHA1 hash: 59708813a1744a959c35a0412f4bd2cae862ffa0
MD5 hash: 92189d2d76db2a5549f25e35a52a2451
humanhash: jig-early-fanta-timing
File name:92189d2d76db2a5549f25e35a52a2451.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:3'596'632 bytes
First seen:2023-08-02 17:39:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (277 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 98304:rZxnMDp/mW16XnaVn/tW5xZIx1OlX3Uzh7v6ExZTuEP7:rZZMD3wXajW76xIXkzhdf
Threatray 58 similar samples on MalwareBazaar
TLSH T14FF53302DA45D5FBE6B206B06621BEA8DFC9F401E3200717637C9DA6BB94AF4530D673
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0cbecc96b63e1a02 (1 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
92189d2d76db2a5549f25e35a52a2451.exe
Verdict:
Malicious activity
Analysis date:
2023-08-02 17:40:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eeedcfb5-fad1-489b-90c7-ec7f0debc515

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439891/
Detection(s):
Win.Adware.Dotdo-7641460-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Launching a process
Launching many processes
Creating a window
Blocking the Windows Defender launch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64ca94f494fb102ea38c1628/reports/953ff4fd-4eee-4edb-9373-8f3002236cf8/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/af13954d-cae0-4f73-bc6d-c734c1e78deb
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1284605
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Submitted sample is a known malware sample
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1284605 Sample: Ptmhbplhxb.exe Startdate: 02/08/2023 Architecture: WINDOWS Score: 60 30 Multi AV Scanner detection for dropped file 2->30 32 Multi AV Scanner detection for submitted file 2->32 7 Ptmhbplhxb.exe 29 2->7         started        process3 file4 22 C:\Users\user\AppData\...\pdzaicbnewkzt.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\...\gafvvkhmsfjamrm.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\SetACL64.exe, PE32+ 7->26 dropped 28 4 other files (3 malicious) 7->28 dropped 34 Submitted sample is a known malware sample 7->34 11 cmd.exe 1 7->11         started        signatures5 process6 signatures7 36 Uses cmd line tools excessively to alter registry or file data 11->36 14 conhost.exe 11->14         started        16 SetACL32.exe 1 11->16         started        18 SetACL32.exe 1 11->18         started        20 37 other processes 11->20 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-02 13:26:51 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xh635czindlyyl56mmvifuicx5ntgszfnuqvmxrroo5i5pqwtosq._file
Verdict:
malicious
Similar samples:
99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
GuLoader
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/230802-v8vn4ahd7s/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Windows security modification
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender notification settings
Modifies security service
Unpacked files
SH256 hash:
c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9
MD5 hash:
b38561661a7164e3bbb04edc3718fe89
SHA1 hash:
f13c873c8db121ba21244b1e9a457204360d543f
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/f244c17d-f903-433c-af1b-4d9d197e908c/
Parent samples :
99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
SH256 hash:
c961a668ab26f359d2e41dbf193b86e2a3d57718f9573e2c1e5653fbff4475c8
MD5 hash:
b88e44934380b0f24411d7da8c635e1f
SHA1 hash:
5f122b1aa332263c6c8273d926971b57955293ff
Link:
https://www.unpac.me/results/f244c17d-f903-433c-af1b-4d9d197e908c/
SH256 hash:
9126b3764f51881dffdffc0085e75373a503aa48e7d7b8473aa28bd03e295a50
MD5 hash:
9cd748e05b204b6eee4cc6faf5b4a169
SHA1 hash:
5edfcedb067390bd21a53c47097a6a1f172fcc19
Link:
https://www.unpac.me/results/f244c17d-f903-433c-af1b-4d9d197e908c/
SH256 hash:
bf0cf3990c6c23dd91ec21071c31537f36355b6d6900358e1536b9a377427619
MD5 hash:
26fc881f84b7f9081cf6b58ab8f9ec08
SHA1 hash:
c4424b9a716392228d55f7d067592d77e9d1b5d2
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/f244c17d-f903-433c-af1b-4d9d197e908c/
Parent samples :
99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
SH256 hash:
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
MD5 hash:
92189d2d76db2a5549f25e35a52a2451
SHA1 hash:
59708813a1744a959c35a0412f4bd2cae862ffa0
Link:
https://www.unpac.me/results/f244c17d-f903-433c-af1b-4d9d197e908c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/439891/

Comments