MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfd50523e4cabf7fe9e6f0afc926b9269708ac80af43a943ebcbc909a9ae0695. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfd50523e4cabf7fe9e6f0afc926b9269708ac80af43a943ebcbc909a9ae0695
SHA3-384 hash: 116ccd455583f7ae2b669c7ae0cec70880ae2e8705d272a6d673fe50a7471fd522f31916f855cec7f3225f98a0c21e8d
SHA1 hash: 6d2fab13f44daf6c50fd9baf10317fdf03f46443
MD5 hash: e63cfbd518e5a8466c190a4c6fcc3ef1
humanhash: ohio-cardinal-quebec-lactose
File name:bin.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'016'800 bytes
First seen:2024-03-22 15:35:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e160ef8e55bb9d162da4e266afd9eef3 (140 x GuLoader, 33 x RemcosRAT, 17 x AgentTesla)
ssdeep 24576:bT3CXCkOoTMDPfzHfIsUA7vwD7tNx2cGHgj42:btUMbjYA7ytN+gj42
Threatray 857 similar samples on MalwareBazaar
TLSH T1E9250183E3550947C8D4083854AB0B745D33DEA9F816A64B3B65362E2FF33C2AD5E94E
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b876c6a6b498d162 (2 x GuLoader)
Reporter Anonymous
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Plantes
Issuer:Plantes
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-04T02:51:26Z
Valid to:2026-11-03T02:51:26Z
Serial number: 28c95dcc57976eebf4f1c27e55c1a713b18143fa
Thumbprint Algorithm:SHA256
Thumbprint: 7d1aa8f648293e407b60b2b745fc883995a08c98408f4a333887fcf47cdbed4b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
394
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bfd50523e4cabf7fe9e6f0afc926b9269708ac80af43a943ebcbc909a9ae0695.exe
Verdict:
Malicious activity
Analysis date:
2024-03-22 15:38:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5dcc60db-addd-4f67-992f-8edaa1478709

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the %temp% directory
Delayed reading of the file
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65fda561f074ad892e59ac05/reports/e2807620-0593-441e-ba83-74f42eb0c859/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/bfd50523e4cabf7fe9e6f0afc926b9269708ac80af43a943ebcbc909a9ae0695
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2a706e75-6303-4b87-8780-49c34bd1f4a9
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1414134
Signature
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1414134 Sample: bin.exe Startdate: 22/03/2024 Architecture: WINDOWS Score: 100 38 www.eh28mf3cdv.xyz 2->38 40 zopter.dev 2->40 42 28 other IPs or domains 2->42 56 Snort IDS alert for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 64 4 other signatures 2->64 10 bin.exe 6 562 2->10         started        signatures3 62 Performs DNS queries to domains with low reputation 38->62 process4 file5 30 C:\Users\user\Femdoble19\...\hysterophyta.sys, data 10->30 dropped 32 C:\Users\user\...fterbevillingen.Mis, data 10->32 dropped 34 C:\Users\user\Femdoble19\...\unreverend.amo, COM 10->34 dropped 36 2 other files (none is malicious) 10->36 dropped 76 Sample is not signed and drops a device driver 10->76 14 bin.exe 6 10->14         started        signatures6 process7 dnsIp8 50 drive.google.com 142.250.65.238, 443, 50314 GOOGLEUS United States 14->50 52 drive.usercontent.google.com 142.250.81.225, 443, 50315 GOOGLEUS United States 14->52 78 Maps a DLL or memory area into another process 14->78 18 gKWUfAOjjWjhPYonsXTtyiGxwgDRM.exe 14->18 injected signatures9 process10 signatures11 54 Found direct / indirect Syscall (likely to bypass EDR) 18->54 21 finger.exe 13 18->21         started        process12 signatures13 66 Tries to steal Mail credentials (via file / registry access) 21->66 68 Tries to harvest and steal browser information (history, passwords, etc) 21->68 70 Writes to foreign memory regions 21->70 72 3 other signatures 21->72 24 gKWUfAOjjWjhPYonsXTtyiGxwgDRM.exe 21->24 injected 28 firefox.exe 21->28         started        process14 dnsIp15 44 www.deniztemiz.fun 46.28.105.2, 50341, 50342, 50343 WEDOSCZ Czech Republic 24->44 46 xiaoyue.zhuangkou.com 47.76.88.64, 50317, 50318, 50319 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 24->46 48 14 other IPs or domains 24->48 74 Found direct / indirect Syscall (likely to bypass EDR) 24->74 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bfd50523e4cabf7fe9e6f0afc926b9269708ac80af43a943ebcbc909a9ae0695
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfd50523e4cabf7fe9e6f0afc926b9269708ac80af43a943ebcbc909a9ae0695/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7kqki7ezk7x72pg6cx4sjvze2lqrleav5b2sq7lzpeqtknoa2kq._file
Verdict:
unknown
Similar samples:
0046d4926a496ea3554ee394b36f77d7ba5f615718bd73b9139f9622d1e11018
GuLoader
1eda1b310543e616e8b7b97e8e5f13597fb3a67ed9658b3daba2f49361563689
GuLoader
4d688c6baec0d972c248f7747f18dc385e67a0fb2b1a5deb70f324b16220780d
GuLoader
6856d48b94e263e7add9845cdb9077a9bfeb01f6e35f1a1bcacaf5ecba2f6a86
GuLoader
717bf9daefcb45980ef823bc99518c72b886de52a526a5bc4579a50ff5f9ecb9
GuLoader
93d8270cf8904624572540c924610458e0eb7984afc5c744eeda2e50ad5024c2
GuLoader
b3a1509f77da1f09f79e2d0d6b6c6938db01f8ec67fa6adcf992eeb5b6b8698a
GuLoader
e24b4518a8d28c76f2fc274dd2dc2cf4c82f734895e13332122a39d101361536
GuLoader
f231e32a7da0a5dec56bb64c7ddc4c02bec943ae6ff32703a31fd944337df7bc
GuLoader
+ 847 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/240322-s1wkbafe3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
MD5 hash:
6f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1 hash:
b6ac111dfb0d1fc75ad09c56bde7830232395785
Link:
https://www.unpac.me/results/56abec06-0d9e-404b-b004-65e8fd308c10/
SH256 hash:
bfd50523e4cabf7fe9e6f0afc926b9269708ac80af43a943ebcbc909a9ae0695
MD5 hash:
e63cfbd518e5a8466c190a4c6fcc3ef1
SHA1 hash:
6d2fab13f44daf6c50fd9baf10317fdf03f46443
Link:
https://www.unpac.me/results/56abec06-0d9e-404b-b004-65e8fd308c10/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/bfd50523e4cabf7fe9e6f0afc926b9269708ac80af43a943ebcbc909a9ae0695

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe bfd50523e4cabf7fe9e6f0afc926b9269708ac80af43a943ebcbc909a9ae0695

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2789071/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileA
KERNEL32.dll::GetWindowsDirectoryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments