MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca85d198d36158a0a552a07369952e1229cfc4e541e3392116768da673f46d66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca85d198d36158a0a552a07369952e1229cfc4e541e3392116768da673f46d66
SHA3-384 hash: af4ddb2f3262e229b6d3a4db230bfee7116a12a0e66ea51e195ff6bb8a0e9b0cd380640a4dd36cf577ad862b82003634
SHA1 hash: 4ec6edd3a54ad78c7b89e996b31003edb8839a55
MD5 hash: 89644ce29b631d137aa848efe6287f3c
humanhash: four-two-louisiana-sink
File name:August Invoice.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:313'680 bytes
First seen:2022-08-19 00:11:24 UTC
Last seen:2022-09-02 00:34:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ea4df5d94204fc550be1874e1b77ea7 (241 x GuLoader, 29 x RemcosRAT, 17 x VIPKeylogger)
ssdeep 6144:wB+pgULLC81Bx0z5/ofySwGisKvQrO8GBPF6:wgDL31Bxy13SUsKV/PY
Threatray 2'179 similar samples on MalwareBazaar
TLSH T18F64F1553796C907D7405B306199E7BF8B38FE442C25C60673A1BFCFBA20B63A918392
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter GovCERT_CH
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Produktionssystem Skovrigst Unscepter
Issuer:Produktionssystem Skovrigst Unscepter
Algorithm:sha256WithRSAEncryption
Valid from:2022-01-18T12:36:02Z
Valid to:2025-01-17T12:36:02Z
Serial number: -5f5b8933c1196adf
Thumbprint Algorithm:SHA256
Thumbprint: 7dc84e7eff644994913c974fb2e878960ea81c6a953237f9376c07a06fe21da6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
358
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
August Invoice.exe
Verdict:
Malicious activity
Analysis date:
2022-08-19 00:11:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/952eb747-5326-4d9e-a8b9-c4930702f22d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299688/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61329580.30121.28889.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29450/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62fed5348adad7d773a0e8c7/reports/2ba835dd-50ca-4f91-a1e4-9435a153d86c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/caa3bc9e-e32e-40b0-b98c-34133fec8423
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1054145
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Mass process execution to delay analysis
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 686662 Sample: August Invoice.exe Startdate: 19/08/2022 Architecture: WINDOWS Score: 60 38 Multi AV Scanner detection for submitted file 2->38 40 Executable has a suspicious name (potential lure to open the executable) 2->40 42 Initial sample is a PE file and has a suspicious name 2->42 44 Mass process execution to delay analysis 2->44 7 August Invoice.exe 3 81 2->7         started        process3 file4 32 C:\Users\user\...\ArmouryCrate.DenoiseAI.exe, PE32+ 7->32 dropped 34 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 7->36 dropped 10 powershell.exe 7->10         started        12 powershell.exe 7->12         started        14 powershell.exe 7->14         started        16 49 other processes 7->16 process5 process6 18 conhost.exe 10->18         started        20 conhost.exe 12->20         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 16->26         started        28 conhost.exe 16->28         started        30 46 other processes 16->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca85d198d36158a0a552a07369952e1229cfc4e541e3392116768da673f46d66/
Threat name:
Win32.Trojan.InjectorX
Create hunting rule
Status:
Malicious
First seen:
2022-08-17 17:02:19 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zkc5dggtmfmkbjksubzwtfjociu47rhfihrtsiiwo2g2m47unvta._file
Verdict:
malicious
Similar samples:
1273c78b4f196fc982cb1e9b7abe9d2b5c4f10c5486e7a891615bb273fef419d
GuLoader
2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190
GuLoader
35e4927ea02978e01bee3917c5c2c92d46308473bf3eaf4ef1d4d3c0eb0a0d4f
GuLoader
861f5a47b316a7668eedc2c5b7f7780406735223bd41a2a29f5df29331f7e51f
GuLoader
867728410f8a0158bf19ee07f1001905aa803295cb9995a3a813fba7ef46770c
GuLoader
a5c940653c3b19cacd1378f2081feb377f2791257fbef36cd64df3a0b1b7d4b4
GuLoader
d28cdd34432fb25eb479fc1faa90d0f1fa37bd4b9edb9e1febaa512f8e1ea79e
GuLoader
d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c
GuLoader
dcb25316bc3b1978f4acb2cce9804787843d832b46939195550ccdfc2f7f947c
GuLoader
f48f29b77d06f3c8617af598413f5b697a3c0569d6ac959e80fec1a4ea499cea
GuLoader
+ 2'169 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/220819-ag6xtsggb9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
MD5 hash:
c5b9fe538654a5a259cf64c2455c5426
SHA1 hash:
db45505fa041af025de53a0580758f3694b9444a
Link:
https://www.unpac.me/results/eb444ccd-3618-411b-b89e-07067f037129/
SH256 hash:
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
MD5 hash:
0d45588070cf728359055f776af16ec4
SHA1 hash:
c4375ceb2883dee74632e81addbfa4e8b0c6d84a
Link:
https://www.unpac.me/results/eb444ccd-3618-411b-b89e-07067f037129/
SH256 hash:
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
MD5 hash:
a4dd044bcd94e9b3370ccf095b31f896
SHA1 hash:
17c78201323ab2095bc53184aa8267c9187d5173
Link:
https://www.unpac.me/results/eb444ccd-3618-411b-b89e-07067f037129/
SH256 hash:
8c6a95a1bf06c22224ab43bc1a1948f2cb0fd8d7089f2b828033c0fde161d2c2
MD5 hash:
d5bf01b2a316120d3d906e48e850520e
SHA1 hash:
a0e2f1caca1d35c227d231e6063d71ffe1d06322
Link:
https://www.unpac.me/results/eb444ccd-3618-411b-b89e-07067f037129/
SH256 hash:
ca85d198d36158a0a552a07369952e1229cfc4e541e3392116768da673f46d66
MD5 hash:
89644ce29b631d137aa848efe6287f3c
SHA1 hash:
4ec6edd3a54ad78c7b89e996b31003edb8839a55
Link:
https://www.unpac.me/results/eb444ccd-3618-411b-b89e-07067f037129/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/ca85d198d36158a0a552a07369952e1229cfc4e541e3392116768da673f46d66

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe ca85d198d36158a0a552a07369952e1229cfc4e541e3392116768da673f46d66

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/299688/

Comments