MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0162a86e38114d2aeb0530bfca4d939cd4d15e5cc35d50cb64c20123f0f3204. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0162a86e38114d2aeb0530bfca4d939cd4d15e5cc35d50cb64c20123f0f3204
SHA3-384 hash: d4cf0bdbcdfe5089ca50ca3d1028ba5f777fd8abafc1c912bf185e5908eb039454e09fe74508d9778848863ce3390e76
SHA1 hash: 46ea4ccd0de4a0b917b98f2d626182d1270d3bfb
MD5 hash: cae0a2b2c56b394afa087d84a85e1f6b
humanhash: solar-zebra-friend-solar
File name:cae0a2b2c56b394afa087d84a85e1f6b
Download: download sample
Signature GuLoader
Create hunting rule
File size:507'490 bytes
First seen:2023-12-15 19:45:14 UTC
Last seen:2023-12-15 22:19:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e221f4f7d36469d53810a4b5f9fc8966 (118 x GuLoader, 28 x RemcosRAT, 21 x Formbook)
ssdeep 12288:Lla0X0TqFbAqCU/8iMRbPuAKArxkKfo7B9jGjpyKjs:I0X0TqFQUxMEexkd9jGtl
Threatray 9 similar samples on MalwareBazaar
TLSH T1B5B423C9B8C0EF67F283D43005B76EAA9635A78BE548396EA7903B157713841C41B38B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4e8ccdcccdcdcd4 (1 x GuLoader)
Reporter zbetcheckin
Tags:32 exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467755/
Detection(s):
SecuriteInfo.com.Variant.Tedy.504904.7884.7433.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Sending a custom TCP request
Launching a process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/657cacfeffafd83ebc90e140/reports/595d04bd-b657-41f9-aacc-c39b65b5c347/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/d0162a86e38114d2aeb0530bfca4d939cd4d15e5cc35d50cb64c20123f0f3204
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/224b4b77-ca7e-4157-a297-538c3b34f141
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1362997
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1362997 Sample: mvJLQOpZDB.exe Startdate: 15/12/2023 Architecture: WINDOWS Score: 100 47 www.zenithdash.xyz 2->47 49 www.zymc.site 2->49 51 15 other IPs or domains 2->51 57 Snort IDS alert for network traffic 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 65 3 other signatures 2->65 12 mvJLQOpZDB.exe 23 2->12         started        signatures3 63 Performs DNS queries to domains with low reputation 47->63 process4 file5 37 C:\Users\user\AppData\Roaming\...pha.Aut, data 12->37 dropped 39 C:\Users\user\AppData\Local\...\nsn731A.tmp, data 12->39 dropped 15 powershell.exe 12 12->15         started        process6 signatures7 77 Suspicious powershell command line found 15->77 79 Very long command line found 15->79 81 Found suspicious powershell code related to unpacking or dynamic code loading 15->81 18 powershell.exe 13 15->18         started        21 conhost.exe 15->21         started        process8 signatures9 55 Writes to foreign memory regions 18->55 23 wab.exe 6 18->23         started        process10 dnsIp11 53 synergyinnovationgroup.com 65.60.36.22, 443, 49712 SINGLEHOP-LLCUS United States 23->53 67 Maps a DLL or memory area into another process 23->67 27 LwbxgRgTDOXUUvMkEtzkA.exe 23->27 injected signatures12 process13 process14 29 auditpol.exe 13 27->29         started        signatures15 69 Tries to steal Mail credentials (via file / registry access) 29->69 71 Tries to harvest and steal browser information (history, passwords, etc) 29->71 73 Writes to foreign memory regions 29->73 75 3 other signatures 29->75 32 LwbxgRgTDOXUUvMkEtzkA.exe 29->32 injected 35 firefox.exe 29->35         started        process16 dnsIp17 41 www.caffleoraret.cyou 109.123.121.243, 49719, 49720, 49721 UK2NET-ASGB United Kingdom 32->41 43 www.ccamio.com 91.195.240.117, 49732, 49733, 49734 SEDO-ASDE Germany 32->43 45 8 other IPs or domains 32->45
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d0162a86e38114d2aeb0530bfca4d939cd4d15e5cc35d50cb64c20123f0f3204
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0162a86e38114d2aeb0530bfca4d939cd4d15e5cc35d50cb64c20123f0f3204/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2alcvbxdqeknflvqkmf7zjgzhhgu2fpfzq25kdfwjqqbepypgica._file
Verdict:
malicious
Similar samples:
2051138003c024d619292ea1a12d0b813946bc88d885d8a1c49478804acb2d92
GuLoader
26867f2c23465d6220bb9f81714c67d2769e54e4ebd0eb15ee3fa3d0dc3b6be3
GuLoader
405c6ef30357c9ef5c53787a35f2c20c3311d835eb2d15f61038005efcd19c3c
GuLoader
7f6af80f59437303f1f0282e798c57619cc1c013cb08c66810595952558fdcc9
GuLoader
b380861d3a6700f0270709b27f65394e4146f6a109512c084a71c14f69a57bfe
GuLoader
d4471111f0e92ea1d7760bd2cc6f75ce16bc8245d077edc47d56181f23a96cea
GuLoader
e028ec06b305b12ae0084a95ff95118dfc97c1870337742446d6981951119c16
GuLoader
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231215-ygyhfsadh4/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
d0162a86e38114d2aeb0530bfca4d939cd4d15e5cc35d50cb64c20123f0f3204
MD5 hash:
cae0a2b2c56b394afa087d84a85e1f6b
SHA1 hash:
46ea4ccd0de4a0b917b98f2d626182d1270d3bfb
Link:
https://www.unpac.me/results/19fa3926-12bb-477e-9a08-2a204ac76b51/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0162a86e38114d2aeb0530bfca4d939cd4d15e5cc35d50cb64c20123f0f3204

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe d0162a86e38114d2aeb0530bfca4d939cd4d15e5cc35d50cb64c20123f0f3204

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2741278/
Cape
Cape
https://www.capesandbox.com/analysis/467755/

Comments


Avatar
zbet commented on 2023-12-15 19:45:15 UTC

url : hxxp://172.245.208.4/3456/wlanext.exe