MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
GuLoader
Vendor detections: 15
| SHA256 hash: | dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086 |
|---|---|
| SHA3-384 hash: | c2a79d45b963304fe50ccec46d8061e1dfc5898a956381126bca31a944fb8dc054bf067644ba5a83901c1bf191f8afcf |
| SHA1 hash: | 723e5363d6c0530371766c8360c8bb996eaa689e |
| MD5 hash: | e3aa3a593645685a164a3a1649b67638 |
| humanhash: | sodium-pennsylvania-kansas-vegan |
| File name: | Zincize.exe |
| Download: | download sample |
| Signature | GuLoader |
| File size: | 1'214'856 bytes |
| First seen: | 2024-09-16 07:35:08 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki) |
| ssdeep | 12288:7cPtTe3zTUZFJHXWlzKA5SDOmHu42Eo3USU2m8FRHvKIYe28MdlpQd6:YPty3zTcFJHXIhsqTxUZ8FRHvK1/pQd6 |
| TLSH | T17245DF22FB88D80AC94456701EACE7B95962FD60BD2CA2537AC67F5FF5BC3725C44280 |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| File icon (PE): |  |
| dhash icon | f064797169c9c9d2 (1 x GuLoader) |
| Reporter |  lowmal3 |
| Tags: | exe GuLoader signed |
Code Signing Certificate
| Organisation: | Terningernes Trilobed Vmmeligste |
|---|---|
| Issuer: | Terningernes Trilobed Vmmeligste |
| Algorithm: | sha256WithRSAEncryption |
| Valid from: | 2024-04-07T07:14:41Z |
| Valid to: | 2027-04-07T07:14:41Z |
| Serial number: | 6813476c50b2bd430c924440214bdc10bb3894de |
| Thumbprint Algorithm: | SHA256 |
| Thumbprint: | b1a48ec5ec5d217896abce7c9f1f79427b6faaab14d907f61b4f8efc4cd444ff |
| Source: | This information was brought to you by ReversingLabs A1000 Malware Analysis Platform |
Intelligence
File Origin
# of uploads :
1
# of downloads :
399
Origin country :
DEVendor Threat Intelligence
Detection(s):
Verdict:
Malicious
Score:
92.5%
Tags:
Encryption Execution Static Malware
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Verdict:
Malicious
Labled as:
Trojan.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NSIS
Verdict:
Unknown
Result
Threat name:
GuLoader
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Submitted sample is a known malware sample
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Score:
89%
Verdict:
Malware
File Type:
PE
Threat name:
Win32.Trojan.Guloader
Status:
Malicious
First seen:
2024-09-11 07:57:29 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Result
Malware family:
n/a
Score:
7/10
Tags:
discovery execution
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9
MD5 hash:
b38561661a7164e3bbb04edc3718fe89
SHA1 hash:
f13c873c8db121ba21244b1e9a457204360d543f
Detections:
win_flawedammyy_auto
Parent samples :
99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
SH256 hash:
bf0cf3990c6c23dd91ec21071c31537f36355b6d6900358e1536b9a377427619
MD5 hash:
26fc881f84b7f9081cf6b58ab8f9ec08
SHA1 hash:
c4424b9a716392228d55f7d067592d77e9d1b5d2
Detections:
win_flawedammyy_auto
Parent samples :
99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
SH256 hash:
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
MD5 hash:
e3aa3a593645685a164a3a1649b67638
SHA1 hash:
723e5363d6c0530371766c8360c8bb996eaa689e
Malware family:
GuLoader
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Detect_APT29_WINELOADER_Backdoor |
|---|---|
| Author: | daniyyell |
| Description: | Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends |
| Reference: | https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties |
| Rule name: | Ins_NSIS_Buer_Nov_2020_1 |
|---|---|
| Author: | Arkbird_SOLG |
| Description: | Detect NSIS installer used for Buer loader |
| Rule name: | PE_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::SetFileSecurityA |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AdjustTokenPrivileges |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExA SHELL32.dll::SHFileOperationA SHELL32.dll::SHGetFileInfoA |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessA ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::LoadLibraryExA KERNEL32.dll::GetDiskFreeSpaceA KERNEL32.dll::GetCommandLineA |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileA KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileA KERNEL32.dll::MoveFileExA KERNEL32.dll::MoveFileA |
| WIN_BASE_USER_API | Retrieves Account Information | ADVAPI32.dll::LookupPrivilegeValueA |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA |
| WIN_USER_API | Performs GUI Actions | USER32.dll::AppendMenuA USER32.dll::EmptyClipboard USER32.dll::FindWindowExA USER32.dll::OpenClipboard USER32.dll::PeekMessageA USER32.dll::CreateWindowExA |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.