MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c622d40348e19de1e15a0ff9da40492af2ad5986b099616945d461f8606660ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c622d40348e19de1e15a0ff9da40492af2ad5986b099616945d461f8606660ef
SHA3-384 hash: b846c71460fb73e94696c510479aa263bc418e087666dcf8c5baf196216423b6debd0587d8ffe1c3297696225fa33bda
SHA1 hash: 5e7087952c8e81c576065ec26b06421b57473190
MD5 hash: d62969a4f821658faf7d02b6dbd994d6
humanhash: undress-purple-october-maine
File name:d62969a4f821658faf7d02b6dbd994d6
Download: download sample
Signature GuLoader
Create hunting rule
File size:106'496 bytes
First seen:2021-09-30 16:01:08 UTC
Last seen:2021-09-30 16:53:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a587116cc4241097b364fa915d1c4c46 (6 x GuLoader)
ssdeep 1536:5zoxiUfxwbcsmj+P4SJbb2k9Y5VGcCLqqQdSSyU1U:6fxwQsm2HJGm4VGcCLqqYC
Threatray 2'499 similar samples on MalwareBazaar
TLSH T1ADA32791F1A5ED8EE5114A7F80E68FE48811AFE49D7A16436388FECD2F3E18CD52C250
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter zbetcheckin
Tags:32 exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d62969a4f821658faf7d02b6dbd994d6
Verdict:
No threats detected
Analysis date:
2021-09-30 20:56:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0a1c6779-4f3d-4ac7-8564-050c2c394598

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193736/
Detection(s):
SecuriteInfo.com.Trojan.PackedENT.235.10181.30929.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d793eda-fe26-423c-b952-f5f1f2275c6f
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862065
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1442 Sample: jnnbbMX9Ch.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 56 www.bjyxszd520.xyz 2->56 58 www.vertuminy.com 2->58 60 39 other IPs or domains 2->60 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Potential malicious icon found 2->78 80 Found malware configuration 2->80 84 11 other signatures 2->84 11 jnnbbMX9Ch.exe 1 1 2->11         started        signatures3 82 Performs DNS queries to domains with low reputation 56->82 process4 signatures5 102 Creates autostart registry keys with suspicious values (likely registry only malware) 11->102 104 Creates multiple autostart registry keys 11->104 106 Tries to detect Any.run 11->106 108 Hides threads from debuggers 11->108 14 jnnbbMX9Ch.exe 9 11->14         started        process6 dnsIp7 68 185.222.58.118, 49711, 49747, 49752 ROOTLAYERNETNL Netherlands 14->68 110 Modifies the context of a thread in another process (thread injection) 14->110 112 Tries to detect Any.run 14->112 114 Maps a DLL or memory area into another process 14->114 116 3 other signatures 14->116 18 explorer.exe 5 6 14->18 injected signatures8 process9 dnsIp10 62 cr123.sfycname.cn 172.247.35.176, 49771, 49772, 80 ZNETUS United States 18->62 64 connect.shopbase.com 185.33.94.22, 49722, 80 XTOMxTomEU United Kingdom 18->64 66 21 other IPs or domains 18->66 50 C:\Users\user\AppData\...\q47xwblp0lrpjlk.exe, PE32 18->50 dropped 86 System process connects to network (likely due to code injection or exploit) 18->86 88 Benign windows process drops PE files 18->88 23 svchost.exe 1 12 18->23         started        26 q47xwblp0lrpjlk.exe 1 18->26         started        28 q47xwblp0lrpjlk.exe 1 18->28         started        30 q47xwblp0lrpjlk.exe 1 18->30         started        file11 signatures12 process13 signatures14 90 System process connects to network (likely due to code injection or exploit) 23->90 92 Tries to steal Mail credentials (via file access) 23->92 94 Self deletion via cmd delete 23->94 100 6 other signatures 23->100 32 cmd.exe 2 23->32         started        35 cmd.exe 1 23->35         started        37 firefox.exe 23->37         started        96 Tries to detect Any.run 26->96 98 Hides threads from debuggers 26->98 39 q47xwblp0lrpjlk.exe 7 26->39         started        42 q47xwblp0lrpjlk.exe 7 28->42         started        44 q47xwblp0lrpjlk.exe 7 30->44         started        process15 file16 70 Tries to harvest and steal browser information (history, passwords, etc) 32->70 46 conhost.exe 32->46         started        48 conhost.exe 35->48         started        52 C:\Users\user\AppData\Local\...\filename1.exe, PE32 39->52 dropped 54 C:\Users\user\AppData\Local\...\filename1.vbs, ASCII 39->54 dropped 72 Tries to detect Any.run 39->72 74 Hides threads from debuggers 39->74 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c622d40348e19de1e15a0ff9da40492af2ad5986b099616945d461f8606660ef/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-30 16:02:05 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03dd5030cf9419d5f328b6ddf8bce820199c0aad46caf85c68aeb1645133972d
GuLoader
0dc21b62ca8b3140169ed54ed05f7324709f92266a83a60556a65e9833ba353c
GuLoader
1942767aa808c15413e31d945174cdea44f4eeed5da3d5831aff879c90eb7609
GuLoader
4fbb201bac972c243d392f1191e76e16d56e01c5ebcea6e826ecc7236e50d37b
GuLoader
a2afda47f4169023bca3c730a48e58d6c40e84236b959a871e883ded3304d5fb
GuLoader
d4dcaa41641bd14406b3fa2a1cee1e97de93329b9f901c650a87e7434676aed8
GuLoader
d6857aa5fd52de7b5f61da1d7556c2aa04ca9040fbd399ab797b927fc06aef12
GuLoader
e539bda619e24bb25719a6d5cf637643965d2561cd35ce24543d6a2f61963cf8
GuLoader
f0c28eabb44d97b7c5f6906b3862a358b3f91245e2aef683c371c31c54560ad3
GuLoader
f133a35b19376dbd570fedf093ff823bbf9da0219fe99e3efc5f85637f1f724f
GuLoader
+ 2'489 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210930-tgsjzsabgl/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
c622d40348e19de1e15a0ff9da40492af2ad5986b099616945d461f8606660ef
MD5 hash:
d62969a4f821658faf7d02b6dbd994d6
SHA1 hash:
5e7087952c8e81c576065ec26b06421b57473190
Link:
https://www.unpac.me/results/452a0eef-d9d6-4a44-ade1-51d00d97989a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c622d40348e19de1e15a0ff9da40492af2ad5986b099616945d461f8606660ef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe c622d40348e19de1e15a0ff9da40492af2ad5986b099616945d461f8606660ef

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1647635/
  
URLhaus
https://urlhaus.abuse.ch/url/1649280/
Cape
Cape
https://www.capesandbox.com/analysis/193736/

Comments


Avatar
zbet commented on 2021-09-30 16:01:09 UTC

url : hxxp://192.3.146.254/xjl/vbc.exe