MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3108377ae1619d8bda54869024bd8d1d03c62d5c7b4fe9ab25d5cd6447288d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3108377ae1619d8bda54869024bd8d1d03c62d5c7b4fe9ab25d5cd6447288d0
SHA3-384 hash: 95a40d3195eb86e9836f0536e7de5a30e8856a4af16458b9a3abed16607232e3a89730b86dd1aa6a566c4d14eef0b914
SHA1 hash: fbd2b6a74e6ab75850d7a23033cc74284c8a3948
MD5 hash: 3ff1150364277dceb7047b6e2e0d00d9
humanhash: hot-lima-four-asparagus
File name:c3108377ae1619d8bda54869024bd8d1d03c62d5c7b4fe9ab25d5cd6447288d0
Download: download sample
Signature GuLoader
Create hunting rule
File size:677'808 bytes
First seen:2023-04-05 12:16:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (293 x GuLoader, 51 x VIPKeylogger, 48 x RemcosRAT)
ssdeep 12288:dMw4EAPcLqk7JVRRrCo/xT3yZrn0aHDyq9DSXALFWJ8caLUv:dMwtAPcLqkJVRRrC+3yBDyq0GOv
Threatray 1'065 similar samples on MalwareBazaar
TLSH T1B3E401413BBCDA27D6A67C7F6423B20C34BAAE50AA46C52577673AFD5DB83411E07203
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71c496b6b696cc71 (9 x SnakeKeylogger, 4 x GuLoader, 1 x AgentTesla)
Reporter adrian__luca
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-03T10:57:08Z
Valid to:2026-01-02T10:57:08Z
Serial number: 71d82480abcb5ff0d011f24b0725332688cdf25e
Thumbprint Algorithm:SHA256
Thumbprint: 796d140ff611dad1ff16e2b983c416485896f5e58d11d415de0e80300544f03b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c3108377ae1619d8bda54869024bd8d1d03c62d5c7b4fe9ab25d5cd6447288d0
Verdict:
Malicious activity
Analysis date:
2023-04-05 12:16:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d2f8938f-d20d-4764-9fd5-3efeef728eae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380286/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66127039.30863.27220.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76642/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader icedid overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/642d66bf7dc0445b238914bb/reports/bf86f68f-4bbc-475e-9953-2e8e9a0e26e8/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/c3108377ae1619d8bda54869024bd8d1d03c62d5c7b4fe9ab25d5cd6447288d0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dddf8fab-36c3-45f1-a1cf-749547b201ae
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1208808
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 841725 Sample: J2wqtV6Si7.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 42 www.ugoufang.com 2->42 44 www.labradordiamond.com 2->44 46 25 other IPs or domains 2->46 68 Snort IDS alert for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 5 other signatures 2->74 11 J2wqtV6Si7.exe 4 42 2->11         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\...\System.dll, PE32 11->34 dropped 36 C:\Users\user\AppData\Local\...\AdvSplash.dll, PE32 11->36 dropped 38 C:\Users\user\AppData\Local\...\lang-1102.dll, PE32 11->38 dropped 40 2 other files (none is malicious) 11->40 dropped 82 Tries to detect Any.run 11->82 84 Hides threads from debuggers 11->84 15 J2wqtV6Si7.exe 6 11->15         started        signatures6 process7 dnsIp8 54 googlehosted.l.googleusercontent.com 142.250.184.193, 443, 49801 GOOGLEUS United States 15->54 56 drive.google.com 142.250.184.238, 443, 49800 GOOGLEUS United States 15->56 58 192.168.11.1 unknown unknown 15->58 60 Modifies the context of a thread in another process (thread injection) 15->60 62 Tries to detect Any.run 15->62 64 Maps a DLL or memory area into another process 15->64 66 3 other signatures 15->66 19 explorer.exe 4 1 15->19 injected signatures9 process10 dnsIp11 48 adeolasadvocacy.com 162.241.216.146, 49806, 80 UNIFIEDLAYER-AS-1US United States 19->48 50 www.firstlinebeefits.com 185.53.179.171, 49826, 80 TEAMINTERNET-ASDE Germany 19->50 52 14 other IPs or domains 19->52 76 System process connects to network (likely due to code injection or exploit) 19->76 23 cmmon32.exe 19->23         started        26 autofmt.exe 19->26         started        28 autofmt.exe 19->28         started        signatures12 process13 signatures14 78 Modifies the context of a thread in another process (thread injection) 23->78 80 Maps a DLL or memory area into another process 23->80 30 cmd.exe 1 23->30         started        process15 process16 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3108377ae1619d8bda54869024bd8d1d03c62d5c7b4fe9ab25d5cd6447288d0/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-03-28 13:04:03 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ymiig55ocym5rpnfjbuqes6y2hidyywvy62p5gvslvonmrdsrdia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656
GuLoader
5a2e7eb559e1d587d537ff0033d00fb27f7e17bf0c2a5db6bb3842b9e2fa9972
GuLoader
81ce31f6f3cd9a6a6037c411a1485bee35eaa93965fc6ccc2bd857c991fcad90
GuLoader
8770f9d32f3b5b26267d6320c355f576df3d09e49d58e50ac16d044f4cf2cf54
GuLoader
c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415
GuLoader
dd7c962afea2752944885fdd3551a0a50fc3a58f676c1466f5fb71eda72d5a24
GuLoader
e6303d0730eaecd16e8a3becf77fce3d5da13155d2e27e102ecc2b700ad42814
GuLoader
f0a5c2339933c5547d78a0e2015cff25fadc7fe2d56f8822202f874c1a8b979e
GuLoader
f548590defc2ccbe24f628129535444295460ede5f719adb540cf1a67bcae839
GuLoader
+ 1'055 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:bd16 downloader rat spyware stealer trojan
Link:
https://tria.ge/reports/230405-pf2daaef24/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Formbook payload
Formbook
Guloader,Cloudeye
Unpacked files
SH256 hash:
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
MD5 hash:
564bb0373067e1785cba7e4c24aab4bf
SHA1 hash:
7c9416a01d821b10b2eef97b80899d24014d6fc1
Link:
https://www.unpac.me/results/c3a87ec3-4baf-4c69-980a-ad6170463ee4/
SH256 hash:
13674c90d4c98376d509beb8e81e61daba16d6c66492238746777ff88cd1d6a5
MD5 hash:
6e6d146807eeb6c2b0d0349a3b6157ad
SHA1 hash:
5eeff5fc7e5a269a33f5f110e766af66230c4bbe
Link:
https://www.unpac.me/results/c3a87ec3-4baf-4c69-980a-ad6170463ee4/
SH256 hash:
37e8190ee63577d0eb329d0f00b638de1d8ea7b2ac2fdbc3f1aa8a44f8bafe2d
MD5 hash:
c779731f7dcc2bd7b2a71a796cbebdcb
SHA1 hash:
ff6b63aa4d554ba7316dae609a7fb9d31844da52
Link:
https://www.unpac.me/results/c3a87ec3-4baf-4c69-980a-ad6170463ee4/
SH256 hash:
62b3db0446750ca9fd693733eec927acc1f50012a47785343286e63b650b7621
MD5 hash:
1871af84805057b5ebc05ee46b56625d
SHA1 hash:
50e1c315ad30f5f3f300c7cd9dd0d5d626fe0167
Link:
https://www.unpac.me/results/c3a87ec3-4baf-4c69-980a-ad6170463ee4/
SH256 hash:
c3108377ae1619d8bda54869024bd8d1d03c62d5c7b4fe9ab25d5cd6447288d0
MD5 hash:
3ff1150364277dceb7047b6e2e0d00d9
SHA1 hash:
fbd2b6a74e6ab75850d7a23033cc74284c8a3948
Link:
https://www.unpac.me/results/c3a87ec3-4baf-4c69-980a-ad6170463ee4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3108377ae1619d8bda54869024bd8d1d03c62d5c7b4fe9ab25d5cd6447288d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380286/

Comments