MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf3b3dbdeec58b9b018269cb0881f25708c1b0f0db5ed19228645e7e9ef00563. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf3b3dbdeec58b9b018269cb0881f25708c1b0f0db5ed19228645e7e9ef00563
SHA3-384 hash: 6470a6d3f6724b7c2b3e097d04c86e97315f2d4d8b5cb48ef0fb00f0ecc9c7aa7cb79b3baeaf4bc648e6d6034008e8db
SHA1 hash: bf6a91179cc2108159728395597946a9df874ff3
MD5 hash: 22703d73ef4ec763de5013db113d0bda
humanhash: enemy-august-freddie-indigo
File name:MRSK0052447.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:331'663 bytes
First seen:2023-03-28 12:38:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eae418c7423834ffc3d79b4300bd6fb (51 x GuLoader, 16 x RemcosRAT, 15 x AgentTesla)
ssdeep 6144:MicFydAzxivUmv5reUOP/qHbuGkOyTysmV1f04/Vwu0FcYjaBOy/iJ:P+VivU0CKb4OcmffVwJFcC+/i
Threatray 602 similar samples on MalwareBazaar
TLSH T1016413032893D66BDA7205397C3A170186A34D5B2857978B77117FAABC36DA3413FB0A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8488c8c888c8c888 (9 x GuLoader, 1 x Formbook)
Reporter malwarelabnet
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MRSK0052447.exe
Verdict:
Malicious activity
Analysis date:
2023-03-28 12:39:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/309b12c4-58e5-4aeb-b3c6-2883ccfec8d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378168/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/75414/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6422dfea39ca37cf45d04377/reports/dd9c82f7-ccbb-464f-95a5-4b0db05b69f4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/bf3b3dbdeec58b9b018269cb0881f25708c1b0f0db5ed19228645e7e9ef00563
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1e3b400-f469-45f9-a3ee-dac73cc839d6
Result
Threat name:
FormBook, GuLoader, Play
Create hunting rule
Detection:
malicious
Classification:
troj.evad.rans.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1203431
Signature
Antivirus detection for URL or domain
Found potential ransomware demand text
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Yara detected Play Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 836344 Sample: MRSK0052447.exe Startdate: 28/03/2023 Architecture: WINDOWS Score: 100 33 www.texasgent.com 2->33 35 www.solya-shop.com 2->35 37 20 other IPs or domains 2->37 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 7 other signatures 2->53 10 MRSK0052447.exe 2 38 2->10         started        signatures3 process4 file5 27 C:\Users\user\AppData\Roaming\...\mscorrc.dll, PE32+ 10->27 dropped 29 C:\Users\user\AppData\...\createdump.exe, PE32+ 10->29 dropped 31 C:\Users\user\AppData\Local\...\System.dll, PE32 10->31 dropped 67 Tries to detect Any.run 10->67 14 MRSK0052447.exe 6 10->14         started        signatures6 process7 dnsIp8 45 www.darhah.gq 162.240.214.176, 443, 49812 UNIFIEDLAYER-AS-1US United States 14->45 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Tries to detect Any.run 14->71 73 Maps a DLL or memory area into another process 14->73 75 2 other signatures 14->75 18 explorer.exe 3 1 14->18 injected signatures9 process10 dnsIp11 39 www.interactive-media.ru 88.212.206.251, 49817, 49885, 80 UNITEDNETRU Russian Federation 18->39 41 www.texasgent.com 81.17.18.194, 49867, 49868, 49869 PLI-ASCH Switzerland 18->41 43 12 other IPs or domains 18->43 55 System process connects to network (likely due to code injection or exploit) 18->55 57 Uses netstat to query active network connections and open ports 18->57 22 NETSTAT.EXE 13 18->22         started        signatures12 process13 signatures14 59 Tries to steal Mail credentials (via file / registry access) 22->59 61 Tries to harvest and steal browser information (history, passwords, etc) 22->61 63 Writes to foreign memory regions 22->63 65 3 other signatures 22->65 25 firefox.exe 22->25         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf3b3dbdeec58b9b018269cb0881f25708c1b0f0db5ed19228645e7e9ef00563/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-27 23:08:55 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x45t3ppoywfzwamcnhfqrapsk4emdmhq3npnderimrph5hxqavrq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
GuLoader
472e9dd9be99ecc9a99dbed1014492ba726a6038a1e1b76621026d9b3b27fe89
GuLoader
5a64a3fd65f7176b7ad623893e3cb573af13eb51850f8243a1951884eee757a9
GuLoader
7b8d50ac67b2f0de5e35909025cc1a8d15f5edd18675878c7aaa31e3fe83a9fd
GuLoader
9765dbd65a085f5367621bfec9f896cf9d37eb298cee6e8568d4488137d888b1
GuLoader
bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350
GuLoader
d8b0bc17d73b611e2ae4ac8addf6a90745af6107cfadffc7cc497a2db38afc87
GuLoader
db19a753c3b30fefe4c2cad16fc3646fa1c4d4d3f662d1fc6e58fc8b61d44e57
GuLoader
f4716cf29a2fa3ff5650ff6a4d35a26a5a534658fe7518fdf2c08554158db841
GuLoader
fe4020d80a71155f6d6f490b3ff6d5699cf839c815da0e077b476ab0ba6b375b
GuLoader
+ 592 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/230328-pvmtfaba79/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
MD5 hash:
8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 hash:
7cc1caaa747ee16dc894a600a4256f64fa65a9b8
Link:
https://www.unpac.me/results/f642c79f-fcb3-4f55-9c88-c703b2c4b4f8/
SH256 hash:
bf3b3dbdeec58b9b018269cb0881f25708c1b0f0db5ed19228645e7e9ef00563
MD5 hash:
22703d73ef4ec763de5013db113d0bda
SHA1 hash:
bf6a91179cc2108159728395597946a9df874ff3
Link:
https://www.unpac.me/results/f642c79f-fcb3-4f55-9c88-c703b2c4b4f8/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf3b3dbdeec5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/bf3b3dbdeec58b9b018269cb0881f25708c1b0f0db5ed19228645e7e9ef00563

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/378168/

Comments