MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdd7f820cadbc02ea8608da2bb8afd03367f4169d9f7c0d36a2e66f40dc5294f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdd7f820cadbc02ea8608da2bb8afd03367f4169d9f7c0d36a2e66f40dc5294f
SHA3-384 hash: 6bf10f3a58d770a6375d5dc6221730f9e24c9332a68dbb473d2eb8060e2863cfbe8e2d26f838e8902c73e66f8b7553d0
SHA1 hash: eeedb03fa3e391201f729a19b3a9fb7244e3d78b
MD5 hash: f29782c9385054baf2ad65b1233c4adf
humanhash: eleven-cola-helium-leopard
File name:DHL_2017128 Receipt Document,pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:308'821 bytes
First seen:2023-05-02 11:17:46 UTC
Last seen:2023-05-02 11:36:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (277 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 6144:V7ewToRaiAGZRBbN/ZxjLezbXGquH7/O2zaKIN4TQ:5VToAiAGZ3J/ZxWuqG7NaKI6TQ
Threatray 799 similar samples on MalwareBazaar
TLSH T1406402017BA0DA67C87280F27C66EA35DB616C4A2D50851363F1BF4FFD762921D0E297
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 72e292f2f212c830 (4 x Formbook, 2 x GuLoader)
Reporter Anonymous
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
270
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_2017128 Receipt Document,pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-02 11:18:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ac648802-dd24-48ba-9630-817f44a5415a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/386074/
Detection(s):
SecuriteInfo.com.Troj.Inject-EAO.957.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending a custom TCP request
Searching for the window
Launching a process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82213/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
buer guloader overlay packed shell32.dll trickbot
Link:
https://www.filescan.io/uploads/6450f16b961a21dc785c61a2/reports/4b5bbbb8-43c3-44b4-b431-abc969b6bc9f/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/cdd7f820cadbc02ea8608da2bb8afd03367f4169d9f7c0d36a2e66f40dc5294f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3eb2f3a3-6fb6-49bf-89ea-81767bff3dde
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1224587
Signature
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 857551 Sample: DHL_2017128_Receipt_Documen... Startdate: 02/05/2023 Architecture: WINDOWS Score: 100 45 www.yourstruly.global 2->45 47 www.vindevs.net 2->47 49 20 other IPs or domains 2->49 69 Snort IDS alert for network traffic 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 8 other signatures 2->75 12 DHL_2017128_Receipt_Document,pdf.exe 24 2->12         started        14 ieinstal.exe 2->14         started        16 ieinstal.exe 2->16         started        signatures3 process4 process5 18 powershell.exe 12 12->18         started        signatures6 59 Very long command line found 18->59 21 powershell.exe 13 18->21         started        24 conhost.exe 18->24         started        process7 signatures8 77 Writes to foreign memory regions 21->77 79 Tries to detect Any.run 21->79 26 ieinstal.exe 6 21->26         started        30 ieinstal.exe 21->30         started        process9 dnsIp10 57 185.254.37.66, 49838, 80 NETERRA-ASBG Germany 26->57 83 Modifies the context of a thread in another process (thread injection) 26->83 85 Tries to detect Any.run 26->85 87 Maps a DLL or memory area into another process 26->87 89 2 other signatures 26->89 32 RAVCpl64.exe 26->32 injected signatures11 process12 process13 34 ipconfig.exe 1 13 32->34         started        37 autochk.exe 32->37         started        signatures14 61 Tries to steal Mail credentials (via file / registry access) 34->61 63 Tries to harvest and steal browser information (history, passwords, etc) 34->63 65 Writes to foreign memory regions 34->65 67 3 other signatures 34->67 39 explorer.exe 3 1 34->39 injected 43 firefox.exe 34->43         started        process15 dnsIp16 51 www.thelifediy.com 62.65.78.56, 49856, 49857, 49858 TELENOR-NEXTELTelenorNorgeASNO Sweden 39->51 53 2052nracine.info 15.197.136.110, 49880, 49881, 49882 TANDEMUS United States 39->53 55 13 other IPs or domains 39->55 81 System process connects to network (likely due to code injection or exploit) 39->81 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdd7f820cadbc02ea8608da2bb8afd03367f4169d9f7c0d36a2e66f40dc5294f/
Threat name:
Win32.Trojan.Sonbokli
Create hunting rule
Status:
Malicious
First seen:
2023-05-02 11:18:07 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxl7qigk3pac5kdarwrlxcx5am3h6qlj3h34bu3kfztpidofffhq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07fa172e1404c76738226cefc6e5d45559430c9946e419ed089d9ae5690783f9
GuLoader
18b1abba90cf4a74b7216b91f02febb1c8694113f5ddc3507fd35b66253bcb83
GuLoader
3f6b1b62fd63112b0626567e8cd6a9179499109f1aee6fe0627d9b429add64d1
GuLoader
494d5735144af171cc15708b37b491b74be1522494958e605ac348dd4897dcf9
GuLoader
601068d38fe3988fac053f5be6fcd8f364ac199fcd278ebe10cd7ee74e9b2726
GuLoader
97e21d286bfa20d9d8af4d186c35c7af9e7cddd424459eab7c998d82f830e531
GuLoader
b534709b0de0c4392af03fea261580b08915ae1e5a55496f85dc21500c6a8338
GuLoader
d989ab685c59463a2ae115503881d520032409525de9846d458583e4ad75fc15
GuLoader
f13b318caba7938d24d18b32e16a1f111ec694b313590a4023f5e277d70ef7db
GuLoader
+ 789 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/230502-nd9q7scf6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Guloader,Cloudeye
Unpacked files
SH256 hash:
cdd7f820cadbc02ea8608da2bb8afd03367f4169d9f7c0d36a2e66f40dc5294f
MD5 hash:
f29782c9385054baf2ad65b1233c4adf
SHA1 hash:
eeedb03fa3e391201f729a19b3a9fb7244e3d78b
Link:
https://www.unpac.me/results/a5722cbd-dd84-466e-981c-8e12a6a59319/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cdd7f820cadb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe cdd7f820cadbc02ea8608da2bb8afd03367f4169d9f7c0d36a2e66f40dc5294f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386074/

Comments