MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9e9fc3a10a439f7e685f46ac95a28c291c8586f0302603f2337547331ae7c29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9e9fc3a10a439f7e685f46ac95a28c291c8586f0302603f2337547331ae7c29
SHA3-384 hash: d2e581b68893d593dbdea483b482d344765ac74ea4ec8eae5cf9de12a1c5d00b209acb4a8e932e91628084058befd4b0
SHA1 hash: 91baeb13d806e934d9bfc91be5ea5b6eb0d75f3c
MD5 hash: ee003d5904c76e48228192c1ff786e47
humanhash: nineteen-mars-december-wolfram
File name:SPL9015280.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:362'995 bytes
First seen:2023-05-19 12:34:08 UTC
Last seen:2023-05-20 15:29:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e160ef8e55bb9d162da4e266afd9eef3 (140 x GuLoader, 33 x RemcosRAT, 17 x AgentTesla)
ssdeep 6144:h4SUjhtXAqTvkWqOs5PC+c5H9ByjuGHK2Tb+w/fw7FtbSJPB7A9K7:6XAqQWqp5C+c5HHyjO2nHHQFtbSZBMq
Threatray 835 similar samples on MalwareBazaar
TLSH T17E742355ABE1993FD1A9CEB40EF6AEBBE331401D40567803471CFFA61D378260F4AA85
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 6949e8ccd4e0e8e8 (4 x GuLoader, 1 x AZORult, 1 x Formbook)
Reporter TeamDreier
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
5
# of downloads :
242
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SPL9015280.exe
Verdict:
No threats detected
Analysis date:
2023-05-19 12:36:57 UTC
Tags:
installer
Link:
https://app.any.run/tasks/94ffed6e-bf51-45c4-9fe7-c2d8471fb331

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67104673.18143.7809.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Searching for the window
Sending a custom TCP request
Delayed reading of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64676cf76766617adecd6d1a/reports/260ea1b0-447d-406a-ba96-5bac31614213/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c9e9fc3a10a439f7e685f46ac95a28c291c8586f0302603f2337547331ae7c29
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ae2af798-859f-4dcf-8d78-17ad1133d411
Result
Threat name:
GuLoader, Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1237185
Signature
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Azorult
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 870184 Sample: SPL9015280.exe Startdate: 19/05/2023 Architecture: WINDOWS Score: 100 38 kng4.shop 2->38 40 globosphera.org 2->40 46 Snort IDS alert for network traffic 2->46 48 Multi AV Scanner detection for domain / URL 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 6 other signatures 2->52 9 SPL9015280.exe 1 38 2->9         started        signatures3 process4 file5 24 C:\Users\user\Bespiser\...\hgfs.dll, PE32+ 9->24 dropped 26 C:\Users\user\Bespiser\...\APM_AC3.dll, PE32 9->26 dropped 28 C:\Users\user\AppData\Local\...\System.dll, PE32 9->28 dropped 54 Self deletion via cmd or bat file 9->54 13 SPL9015280.exe 63 9->13         started        signatures6 process7 dnsIp8 42 kng4.shop 172.67.159.65, 49851, 49852, 80 CLOUDFLARENETUS United States 13->42 44 globosphera.org 92.222.244.238, 49850, 80 OVHFR France 13->44 30 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->30 dropped 32 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 13->32 dropped 34 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 13->34 dropped 36 45 other files (none is malicious) 13->36 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->56 58 Tries to steal Instant Messenger accounts or passwords 13->58 60 Tries to steal Mail credentials (via file / registry access) 13->60 62 6 other signatures 13->62 18 cmd.exe 1 13->18         started        file9 signatures10 process11 process12 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9e9fc3a10a439f7e685f46ac95a28c291c8586f0302603f2337547331ae7c29/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-18 12:44:16 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhu7yoqquq47pzuf6rvmswriyki4qwdpambgapzdg5khgmnopquq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
213be309e9885ffee1f6dff8cbdc8527d22a0813105cb565dddb727b0d74ff6f
GuLoader
25d75cfcb97f4594d2cfde218c3d098ea70069e3cbbaa95c8f1bdba8d342ec36
GuLoader
29ef762fd2115e70a9983833788d592be9b846e52e79066341849281067cd57b
GuLoader
3688bbdea17976134a7195c46f6c9634456cebc5f4962ea74bb59b727d640a24
GuLoader
79c7450a5d20a4696943cb3dfb2d406c7d421310c8c408d1ab1e0491a5c13dc4
GuLoader
b5083c2bb6ce06175d3455c77a514d9fd48150aaf8c6fe6159c33f46b0a5b11e
GuLoader
cb50638ad62a7d2fe8719d31319a698ec91d9b7ffe7498e0ec1d3b36d81dedf3
GuLoader
d81faad0d92b453c12c9de5562f2ff509e88743776af0e48b6ed676f538a9892
GuLoader
eeeb1bc5faafbb0921895d6b2bba4d0dce0ef5288e4b22e3eb6ec329b3ef7c6a
GuLoader
+ 825 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:guloader downloader infostealer trojan
Link:
https://tria.ge/reports/230519-psby6adg88/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
Azorult
Guloader,Cloudeye
Malware Config
C2 Extraction:
http://kng4.shop/kng4/index.php
Unpacked files
SH256 hash:
c9e9fc3a10a439f7e685f46ac95a28c291c8586f0302603f2337547331ae7c29
MD5 hash:
ee003d5904c76e48228192c1ff786e47
SHA1 hash:
91baeb13d806e934d9bfc91be5ea5b6eb0d75f3c
Link:
https://www.unpac.me/results/f1af022a-f646-4300-8259-252adb4e80dd/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9e9fc3a10a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/c9e9fc3a10a439f7e685f46ac95a28c291c8586f0302603f2337547331ae7c29

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe c9e9fc3a10a439f7e685f46ac95a28c291c8586f0302603f2337547331ae7c29

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments