MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0f5e5711e53f7f7cafbfedf8b7614341a9685043411bdfd2b0d1f1aebb1ac3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0f5e5711e53f7f7cafbfedf8b7614341a9685043411bdfd2b0d1f1aebb1ac3f
SHA3-384 hash: be4a53c9b1bb9426b7097813c289ed629b6da14c34c0c7f6cb842e5276c3a50cdee8aae9540d4277af4f44360191845a
SHA1 hash: 7d0ebc9329840c3afd51dfc2e6181cd767913482
MD5 hash: 550c5d8e210eb5be36caa4a3610d3214
humanhash: yankee-sodium-item-vegan
File name:d0f5e5711e53f7f7cafbfedf8b7614341a9685043411bdfd2b0d1f1aebb1ac3f
Download: download sample
Signature GuLoader
Create hunting rule
File size:624'634 bytes
First seen:2023-06-08 10:57:47 UTC
Last seen:2023-06-08 11:41:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 12288:04+L3gMNEauRir739UZPM4GGbL8+tBllIgZwFeRD5LUiEE7GT:a80EauRir7NUZPM4G+ttId0RqfFT
Threatray 970 similar samples on MalwareBazaar
TLSH T1D5D4D0023F2CA59DD5F8C6B637539BF50FA8AD2AC4F166CAB3C5730C69745920E9E402
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 88a4c0c8d8d062be (3 x GuLoader, 3 x Formbook)
Reporter adrian__luca
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
267
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d0f5e5711e53f7f7cafbfedf8b7614341a9685043411bdfd2b0d1f1aebb1ac3f
Verdict:
Malicious activity
Analysis date:
2023-06-08 10:56:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/36768f87-1f8b-4bfc-8333-b9b76385e414

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/396907/
Detection(s):
SecuriteInfo.com.BackDoor.HRDP.38.4359.6678.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a file
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/89941/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
buer guloader lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6481b43c53bdc73e916f43b2/reports/0d87db13-78cc-4fb4-84be-ec44aa065264/overview
Verdict:
Malicious
Labled as:
Downloader/GuLoader
Link:
https://www.hybrid-analysis.com/sample/d0f5e5711e53f7f7cafbfedf8b7614341a9685043411bdfd2b0d1f1aebb1ac3f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cbd2f3d1-229c-4142-9df2-2b717a78f34b
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251094
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 884115 Sample: 7SzUgdO8Ne.exe Startdate: 08/06/2023 Architecture: WINDOWS Score: 100 35 xxkxcfkujyeft.xyz 2->35 37 xxkhr1iuvw3de.xyz 2->37 39 27 other IPs or domains 2->39 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 6 other signatures 2->53 9 7SzUgdO8Ne.exe 2 54 2->9         started        signatures3 process4 file5 27 C:\Users\user\AppData\Roaming\...\ieee754.dll, PE32+ 9->27 dropped 29 C:\Users\user\AppData\Local\...\System.dll, PE32 9->29 dropped 57 Tries to detect Any.run 9->57 13 cmstp.exe 13 9->13         started        16 7SzUgdO8Ne.exe 6 9->16         started        signatures6 process7 dnsIp8 59 Tries to steal Mail credentials (via file / registry access) 13->59 61 Tries to harvest and steal browser information (history, passwords, etc) 13->61 63 Writes to foreign memory regions 13->63 71 3 other signatures 13->71 19 explorer.exe 4 1 13->19 injected 23 firefox.exe 13->23         started        31 googlehosted.l.googleusercontent.com 142.250.181.225, 443, 49832 GOOGLEUS United States 16->31 33 drive.google.com 172.217.23.110, 443, 49831 GOOGLEUS United States 16->33 65 Tries to detect Any.run 16->65 67 Maps a DLL or memory area into another process 16->67 69 Sample uses process hollowing technique 16->69 signatures9 process10 dnsIp11 41 www.agileter.info 67.223.117.160, 49862, 49863, 49864 VIMRO-AS15189US United States 19->41 43 scottsteedley.com 162.214.206.200, 49891, 49892, 49893 UNIFIEDLAYER-AS-1US United States 19->43 45 16 other IPs or domains 19->45 55 System process connects to network (likely due to code injection or exploit) 19->55 25 WerFault.exe 2 23->25         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0f5e5711e53f7f7cafbfedf8b7614341a9685043411bdfd2b0d1f1aebb1ac3f/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2023-06-08 10:58:05 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2d26k4i6kp37psx373pyw5qugqnjnbiegqi337jlbuprv25rvq7q._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0046d4926a496ea3554ee394b36f77d7ba5f615718bd73b9139f9622d1e11018
GuLoader
1768b7ce66331d91fbe417910dbffa2d995214853ccb769dbd73d3f4a824b647
GuLoader
49c664a223499b26d21c32fa465d34dda9c824a3940eda061ea8ccfdac003a3a
GuLoader
693e8f8b588610bfc9ed0592d7ec7486d0b039cc0651a710c642c1f19c0037d1
GuLoader
71a645f62d75e1108a47968a53fb0a9dc807bce7ac17e59c047ff05143c7eace
GuLoader
723ff97e6559f6558c288ca693898592a21aab28c003883ca13b81667d7e3aef
GuLoader
baf524e165268a0c661800a1f01547c21f6bb1c0d399c72ebbcd2a08cc797977
GuLoader
d9880865beba3895d3079082b5e59ab582559e1ac49aa21a2588db39132a5246
GuLoader
dbb615f3effa4483d620bf911040f7fcf05b5c9b6f1b588e17d19c23e089e5c5
GuLoader
f8082dc1210616c55008edc73e1ca4966cd8575e2425ed72f71f28b97f71172a
GuLoader
+ 960 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/230608-m2tt8aee69/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
MD5 hash:
fbe295e5a1acfbd0a6271898f885fe6a
SHA1 hash:
d6d205922e61635472efb13c2bb92c9ac6cb96da
Link:
https://www.unpac.me/results/bd241e4d-5973-446c-8cb2-3e3f218dfcc0/
SH256 hash:
d0f5e5711e53f7f7cafbfedf8b7614341a9685043411bdfd2b0d1f1aebb1ac3f
MD5 hash:
550c5d8e210eb5be36caa4a3610d3214
SHA1 hash:
7d0ebc9329840c3afd51dfc2e6181cd767913482
Link:
https://www.unpac.me/results/bd241e4d-5973-446c-8cb2-3e3f218dfcc0/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0f5e5711e53/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0f5e5711e53f7f7cafbfedf8b7614341a9685043411bdfd2b0d1f1aebb1ac3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/396907/

Comments