MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a
SHA3-384 hash: 261859bfe1e7328829265ddda0f3bf51243bec85ae48d96a6575ce48ff3f5532c328d9b7f0d87ef680582d1c9504c0c2
SHA1 hash: c526373cc21495053cdf3ff735f10e4f031659b7
MD5 hash: 4cea5d8cb3e0a17e942812e31667120a
humanhash: mirror-summer-comet-equal
File name:4cea5d8cb3e0a17e942812e31667120a
Download: download sample
Signature GuLoader
Create hunting rule
File size:126'976 bytes
First seen:2021-10-19 10:43:03 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:LEuul/7WYt61BPnueWzlCd46+Ml3ybnWbHPs:LEu4/7Rt61BPue4+46+s5HE
Threatray 11'689 similar samples on MalwareBazaar
TLSH T1C9C339AEB6D1EE61D28035B3CB1D4A11CBA2CD65DD41418F23C1BE8C6D77292E850FB6
Reporter zbetcheckin
Tags:GuLoader msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198462/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.31464.22154.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Link:
https://www.filescan.io/uploads/616ea13aa9d585e6d52d9630/reports/173709a3-1580-429f-a38c-b4bec30258c6/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/873023
Signature
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505451 Sample: XbcMYi7nv0 Startdate: 19/10/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 6 other signatures 2->48 7 msiexec.exe 7 27 2->7         started        10 msiexec.exe 2 2->10         started        process3 file4 26 C:\Windows\Installer\MSIBA04.tmp, PE32 7->26 dropped 12 MSIBA04.tmp 1 1 7->12         started        process5 signatures6 50 Creates autostart registry keys with suspicious values (likely registry only malware) 12->50 52 Drops executables to the windows directory (C:\Windows) and starts them 12->52 54 Tries to detect Any.run 12->54 56 Hides threads from debuggers 12->56 15 MSIBA04.tmp 2 63 12->15         started        process7 dnsIp8 28 fieldomobify.com 162.251.80.22, 443, 49756 PUBLIC-DOMAIN-REGISTRYUS United States 15->28 30 63.250.40.204, 49757, 49763, 49764 NAMECHEAP-NETUS United States 15->30 32 www.fieldomobify.com 15->32 20 C:\Users\user\AppData\Local\...\KLUMSEDE.exe, PE32 15->20 dropped 22 C:\Users\user\AppData\Local\...\KLUMSEDE.vbs, ASCII 15->22 dropped 24 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 15->24 dropped 34 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->34 36 Tries to steal Mail credentials (via file access) 15->36 38 Tries to harvest and steal ftp login credentials 15->38 40 3 other signatures 15->40 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 10:43:07 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
07a7e8b55aae7e593602a7dc0e67dbf0debb3ccd4c4d769d7fab0e34a675b4e7
GuLoader
250d4d5045162c39e3c1b9d637e0188089299a04106202afdf1f4826d24e27f4
GuLoader
37fba5e93049ee78ac1fdf1fafe945636680193ddcb1dc9533f2c9ac80d3744c
GuLoader
4773c7c5c52d0163bfa32cb271399692831e00ff7e6877f0877091e111c9f063
GuLoader
522735989689a96d0e10e926aae941e58a695062254573c5796bb129e4c7703e
GuLoader
6f476c63a6d699d1f0166313deb1e0f623c689882de8411bcd4f0b4f880526dd
GuLoader
7765b39aa0345fd2af3838a548807c90094ea98d227d625ed742260833643b52
GuLoader
bf41232cf8f3b7a59706152858b300a9c7af30e7e0291f120dfd38657daf5b9c
GuLoader
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
GuLoader
+ 11'679 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:lokibot collection downloader persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211019-mr94fsgfaj/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Enumerates connected drives
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Guloader,Cloudeye
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://63.250.40.204/~wpdemo/file.php?search=6446112
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:INDICATOR_MSI_EXE2MSI
Create hunting rule
Author:ditekSHen
Description:Detects executables converted to .MSI packages using a free online converter.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Microsoft Software Installer (MSI) msi be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1695802/
Cape
Cape
https://www.capesandbox.com/analysis/198462/

Comments


Avatar
zbet commented on 2021-10-19 10:43:05 UTC

url : hxxps://www.fieldomobify.com/ol/ol.msi