MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df5fe9a0ba7f10d92cb21521aaa7850da19e7b3cfee35c2387dfe5d28e3480b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df5fe9a0ba7f10d92cb21521aaa7850da19e7b3cfee35c2387dfe5d28e3480b3
SHA3-384 hash: 453322286511acc858bc4306c9ee00749a23a5e13f05df84f5e3eacaf07dfa7d6b6c3ef9f3ff0a564977303a9f6fa13b
SHA1 hash: ff9c0831efa946446d8a6ca89f658e425762eaeb
MD5 hash: 00b0d25748447094c22e11aaa1f8d0a0
humanhash: sierra-dakota-bravo-undress
File name:00b0d25748447094c22e11aaa1f8d0a0
Download: download sample
Signature GuLoader
Create hunting rule
File size:479'040 bytes
First seen:2023-08-01 11:49:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (295 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 12288:s7LABZYQkCRwMn6dL/BlCDRe0XKCIeekY7FlV:EinAtl4R0yeBDV
Threatray 1'035 similar samples on MalwareBazaar
TLSH T1CEA4E093EA9042A6E418083892A7BB1535F78C7DAB57CF2353DC31266F72053257E36B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c2aab2c2c0f0f0f0 (5 x GuLoader, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-06-02T10:53:30Z
Valid to:2026-06-01T10:53:30Z
Serial number: 7773443f5284ccb62a25d9f431ea36cf7d41d54e
Thumbprint Algorithm:SHA256
Thumbprint: 43ca989e51efd52a7bcf73f27099f7d5bf5eb0f09c420bab33ebe5a82e0af1c5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation.xls
Verdict:
Malicious activity
Analysis date:
2023-08-01 10:48:42 UTC
Tags:
opendir exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/716ffc02-c370-4249-8ca3-8085cab7a187

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439595/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.31020.16397.20236.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64c8f16da108b876ac84bd38/reports/143fbaa6-dc64-49d7-8ecc-26ba85a33bc2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/df5fe9a0ba7f10d92cb21521aaa7850da19e7b3cfee35c2387dfe5d28e3480b3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3cc37369-635e-4acd-9c8c-2c684daf1454
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1283700
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1283700 Sample: 6tGbTK1i2x.exe Startdate: 01/08/2023 Architecture: WINDOWS Score: 100 36 www.zdmajkpj.click 2->36 38 www.yyoqui.com 2->38 40 21 other IPs or domains 2->40 56 Snort IDS alert for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 7 other signatures 2->62 11 6tGbTK1i2x.exe 31 2->11         started        15 YourPhone.exe 189 20 2->15         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\System.dll, PE32 11->32 dropped 70 Tries to detect Any.run 11->70 17 6tGbTK1i2x.exe 6 11->17         started        signatures6 process7 dnsIp8 34 23.95.60.83, 50009, 80 AS-COLOCROSSINGUS United States 17->34 48 Modifies the context of a thread in another process (thread injection) 17->48 50 Tries to detect Any.run 17->50 52 Maps a DLL or memory area into another process 17->52 54 2 other signatures 17->54 21 explorer.exe 7 1 17->21 injected signatures9 process10 dnsIp11 42 www.epicfoodtrucks.com 198.251.81.49, 50035, 80 PONYNETUS United States 21->42 44 www.w2w37.com 192.74.228.114, 50037, 80 PEGTECHINCUS United States 21->44 46 12 other IPs or domains 21->46 64 System process connects to network (likely due to code injection or exploit) 21->64 25 raserver.exe 21->25         started        signatures12 process13 signatures14 66 Modifies the context of a thread in another process (thread injection) 25->66 68 Maps a DLL or memory area into another process 25->68 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df5fe9a0ba7f10d92cb21521aaa7850da19e7b3cfee35c2387dfe5d28e3480b3/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2023-08-01 10:42:41 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=35p6tif2p4inslfscuq2vj4fbwqz46z473rvyi4h37s5fdruqczq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
051101f45d03dac4583297cce0d708af562dedfa085b3d9dcfea40be2083e7ab
GuLoader
0b212fe0dd1772af4629465b73343d7734a70b96cf71f6771ac314e3b0342894
GuLoader
1769a8993a876094f9a4a9a7ca17ac3d669279178e32c097a3346825f982a2b1
GuLoader
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
GuLoader
529041b4abb84d9d85f97eb0a6fa6e26a5bf8c9f900316430134df6ce7a5a6ff
GuLoader
7d6e9247de0527fa4c0939c4f6e6726a35cb5f39492a7aeab5614ac1ab29b294
GuLoader
a2b5ddc4640236c4a5e09ae3418a1243d2ab37fc787999f8a3f8a3ec1f7deece
GuLoader
a88caf11b01cea311aca13b6e757a8974d5033e1acb8749b9d1951ed0d93d44c
GuLoader
ae7a2eab74a6dbeaa780094a1885f588405f0f8eda83910f14e22759d1f1b7aa
GuLoader
ec27e95180289cd7ca8ebfafc4a1ec973448dcda09892716324966ac95ce4a87
GuLoader
+ 1'025 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:gs22 downloader rat spyware stealer trojan
Link:
https://tria.ge/reports/230801-nzlaqsgf9w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
Formbook payload
Formbook
Guloader,Cloudeye
Unpacked files
SH256 hash:
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
MD5 hash:
3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 hash:
fe582246792774c2c9dd15639ffa0aca90d6fd0b
Link:
https://www.unpac.me/results/07556b65-b1a6-440b-8dd4-15b087c4ad85/
SH256 hash:
df5fe9a0ba7f10d92cb21521aaa7850da19e7b3cfee35c2387dfe5d28e3480b3
MD5 hash:
00b0d25748447094c22e11aaa1f8d0a0
SHA1 hash:
ff9c0831efa946446d8a6ca89f658e425762eaeb
Link:
https://www.unpac.me/results/07556b65-b1a6-440b-8dd4-15b087c4ad85/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df5fe9a0ba7f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df5fe9a0ba7f10d92cb21521aaa7850da19e7b3cfee35c2387dfe5d28e3480b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe df5fe9a0ba7f10d92cb21521aaa7850da19e7b3cfee35c2387dfe5d28e3480b3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/439595/
  
URLhaus
https://urlhaus.abuse.ch/url/2694803/

Comments


Avatar
zbet commented on 2023-08-01 11:49:38 UTC

url : hxxp://103.6.248.9/S307M/wininit.exe