MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1a3f5513cfaf506e96e6304d259fb03f5dc23542301fc9c7335a6e921ad65f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1a3f5513cfaf506e96e6304d259fb03f5dc23542301fc9c7335a6e921ad65f9
SHA3-384 hash: 33a0be80539d9f626a3a127f3a1c1aac3cf7ee11fdcc4e6b5b12c668c53e15c6c581ff847be07c09db34406ccb321f22
SHA1 hash: f4488a79fcb657eb1f3f23c6ce181ae7176fb11c
MD5 hash: 8906fa5fed7b1d3d2e5579d97419c076
humanhash: twenty-moon-burger-bluebird
File name:Foreign_Bank Account Details.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:135'168 bytes
First seen:2021-10-12 07:23:47 UTC
Last seen:2021-10-12 08:16:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0a8e5f9658f839d07c08aa4f38837bac (8 x GuLoader)
ssdeep 3072:wHohMc/81QScUhU7FeiRaz+7kOMr7d2PhOdnXhWZ2QLqw9mh7ObETDuvTuqZccm4:wHoBzsuRcw4rCh
TLSH T1DDD3D511E5CEDD55CA46817D4C42835BBF6A3E424CC2292B3E5E16C83FFA9217690BCE
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter GovCERT_CH
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Foreign_Bank Account Details.exe
Verdict:
No threats detected
Analysis date:
2021-10-12 07:31:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6828aa10-ebcd-41ae-8f45-8872770bacb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196789/
Detection(s):
SecuriteInfo.com.Variant.Razy.961905.1160.13754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Link:
https://www.filescan.io/uploads/6165381e9fb4d8593d623879/reports/a707eaf6-1927-44a9-abb2-595bd6897765/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eab04a92-d6f4-49cb-8fbf-ed0063832fa7
Result
Threat name:
RemCom RemoteAdmin Mimikatz HawkEye Immi
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.spre.adwa.spyw.expl.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/868366
Signature
Antivirus detection for URL or domain
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains VNC / remote desktop functionality (version string found)
Deletes shadow drive data (may be related to ransomware)
Detected Hacktool Mimikatz
Detected HawkEye Rat
Detected Imminent RAT
Detected Nanocore Rat
Detected Remcos RAT
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Found string related to ransomware
Found strings related to Crypto-Mining
Found Tor onion address
GuLoader behavior detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
May drop file containing decryption instructions (likely related to ransomware)
May enable test signing (to load unsigned drivers)
May modify the system service descriptor table (often done to hook functions)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: RegAsm connects to smtp port
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected 0x0M4R Ransomware
Yara detected AESCRYPT Ransomware
Yara detected AgentTesla
Yara detected AllatoriJARObfuscator
Yara detected Amnesia ransomware
Yara detected Annabelle Ransomware
Yara detected AntiVM3
Yara detected Apis Ransomware
Yara detected Artemon Ransomware
Yara detected Autohotkey Downloader Generic
Yara detected Avaddon Ransomware
Yara detected AveMaria stealer
Yara detected Axiom Ransomware
Yara detected Babuk Ransomware
Yara detected Betabot
Yara detected BitCoin Miner
Yara detected BLACKMatter Ransomware
Yara detected BlackMoon Ransomware
Yara detected Buran Ransomware
Yara detected ByteLocker Ransomware
Yara detected Cerber ransomware
Yara detected Chaos Ransomware
Yara detected Clay Ransomware
Yara detected Clop Ransomware
Yara detected Cobra Locker ransomware
Yara detected Codoso Ghost
Yara detected Coinhive miner
Yara detected Conti ransomware
Yara detected Costura Assembly Loader
Yara detected Covid19 Ransomware
Yara detected CryLock ransomware
Yara detected Crypt ransomware
Yara detected Cryptolocker ransomware
Yara detected Cute Ransomware
Yara detected DarkSide Ransomware
Yara detected Delta Ransomware
Yara detected Discord Token Stealer
Yara detected Dorkbot
Yara detected Evrial Stealer
Yara detected Fiesta Ransomware
Yara detected Generic Dropper
Yara detected generic Shellcode Injector
Yara detected GhostRat
Yara detected Globeimposter Ransomware
Yara detected GlobeLocker Ransomware
Yara detected Gocoder ransomware
Yara detected GoGoogle ransomware
Yara detected Growtopia
Yara detected GuLoader
Yara detected Hancitor
Yara detected HiddenTear ransomware
Yara detected ISRStealer
Yara detected Jcrypt Ransomware
Yara detected Jigsaw
Yara detected Koadic
Yara detected LaZagne password dumper
Yara detected LazParking Ransomware
Yara detected LimeRAT
Yara detected Linux EvilGnome RC5 key
Yara detected LockBit ransomware
Yara detected LOCKFILE ransomware
Yara detected LokiLocker Ransomware
Yara detected Lolkek Ransomware
Yara detected MailPassView
Yara detected Mailto ransomware
Yara detected Marvel Ransomware
Yara detected MegaCortex Ransomware
Yara detected Metasploit Payload
Yara detected Meterpreter
Yara detected Mimikatz
Yara detected Mini RAT
Yara detected Mock Ransomware
Yara detected MSILLoadEncryptedAssembly
Yara detected Nemty Ransomware
Yara detected Netwalker ransomware
Yara detected NetWire RAT
Yara detected Niros Ransomware
Yara detected Njrat
Yara detected NoCry Ransomware
Yara detected Nukesped
Yara detected OCT Ransomware
Yara detected Ouroboros ransomware
Yara detected Parallax RAT
Yara detected PasteDownloader
Yara detected Pony
Yara detected Porn Ransomware
Yara detected Predator
Yara detected Ragnarok ransomware
Yara detected RansomwareGeneric
Yara detected Rapid ransomware
Yara detected RegretLocker Ransomware
Yara detected RekenSom ransomware
Yara detected RevengeRAT
Yara detected Rhino ransomware
Yara detected Ryuk ransomware
Yara detected Silvertor Ransomware
Yara detected Snake Keylogger
Yara detected Snatch Ransomware
Yara detected Telegram RAT
Yara detected TeslaCrypt Ransomware
Yara detected Thanos ransomware
Yara detected UACMe UAC Bypass tool
Yara detected Valak
Yara detected VB6 Downloader Generic
Yara detected VBKeyloggerGeneric
Yara detected VHD ransomware
Yara detected Vidar stealer
Yara detected Voidcrypt Ransomware
Yara detected Wannacry ransomware
Yara detected WannaRen ransomware
Yara detected Windows Security Disabler
Yara detected WormLocker Ransomware
Yara detected Xmrig cryptocurrency miner
Yara detected Zeoticus ransomware
Yara detected Zeppelin Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1613 Sample: Foreign_Bank Account Details.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 59 prda.aadg.msidentity.com 2->59 61 mail.cselegance.com 2->61 63 4 other IPs or domains 2->63 71 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->71 73 Multi AV Scanner detection for domain / URL 2->73 75 Potential malicious icon found 2->75 77 140 other signatures 2->77 8 Foreign_Bank Account Details.exe 2->8         started        11 mpam-f54ed867.exe 2->11         started        14 mpam-c45e5da5.exe 7 2->14         started        16 4 other processes 2->16 signatures3 process4 file5 87 Writes to foreign memory regions 8->87 89 Tries to detect Any.run 8->89 91 Hides threads from debuggers 8->91 18 RegAsm.exe 2 11 8->18         started        45 C:\Windows\...\mpuxagent.dll.mui, PE32 11->45 dropped 47 C:\Windows\...\ProtectionManagement.dll.mui, PE32 11->47 dropped 49 C:\Windows\...\MpEvMsg.dll.mui, PE32 11->49 dropped 57 193 other files (none is malicious) 11->57 dropped 93 Sample is not signed and drops a device driver 11->93 23 MpSigStub.exe 11->23         started        51 C:\Windows\ServiceProfiles\...\mpavdlta.vdm, PE32+ 14->51 dropped 53 C:\Windows\ServiceProfiles\...\mpasdlta.vdm, PE32+ 14->53 dropped 55 C:\Windows\ServiceProfiles\...\MpSigStub.exe, PE32+ 14->55 dropped 25 MpSigStub.exe 4 14->25         started        27 conhost.exe 16->27         started        29 conhost.exe 16->29         started        31 conhost.exe 16->31         started        33 conhost.exe 16->33         started        signatures6 process7 dnsIp8 65 cselegance.com 116.0.120.83, 49812, 587 GTC-MY-PIP-ASGlobalTransitCommunications-MalaysiaMY Malaysia 18->65 67 googlehosted.l.googleusercontent.com 142.250.186.33, 443, 49794 GOOGLEUS United States 18->67 69 drive.google.com 172.217.168.46, 443, 49793 GOOGLEUS United States 18->69 37 C:\Users\user\AppData\Roaming\...\tKZVPq.exe, PE32 18->37 dropped 39 C:\Windows\System32\drivers\etc\hosts, ASCII 18->39 dropped 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->79 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->81 83 Tries to steal Mail credentials (via file access) 18->83 85 7 other signatures 18->85 35 conhost.exe 18->35         started        41 C:\Windows\ServiceProfiles\...\mpavbase.vdm, PE32+ 25->41 dropped 43 C:\Windows\ServiceProfiles\...\mpasbase.vdm, PE32+ 25->43 dropped file9 signatures10 process11
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d1a3f5513cfaf506e96e6304d259fb03f5dc23542301fc9c7335a6e921ad65f9/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 06:22:32 UTC
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gr7kuj47l2qn2lommcnewp3ap25yi2uema7zhdtgwtosinnmx4q._file
Verdict:
malicious
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/211012-h8ge9abfgq/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
d1a3f5513cfaf506e96e6304d259fb03f5dc23542301fc9c7335a6e921ad65f9
MD5 hash:
8906fa5fed7b1d3d2e5579d97419c076
SHA1 hash:
f4488a79fcb657eb1f3f23c6ce181ae7176fb11c
Link:
https://www.unpac.me/results/3d0f85b7-f3b5-4b5a-8396-e2b2163d62ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d1a3f5513cfaf506e96e6304d259fb03f5dc23542301fc9c7335a6e921ad65f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe d1a3f5513cfaf506e96e6304d259fb03f5dc23542301fc9c7335a6e921ad65f9

(this sample)

  
Dropped by
guloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/196789/

Comments