MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
SHA3-384 hash: ec98a9283d3f6fc92bf10c72d9a4f7f28e05ecb688972ca785a88d2abab40e33e9fc7ec3cb33f25a0258e3d2cc1dd6c7
SHA1 hash: 457dd80fbfd63c41590fddf9ee96c77b8e4d96b6
MD5 hash: 21585cb7187fa942d86aef7f61b3fe7e
humanhash: skylark-quiet-carolina-four
File name:Bootblacks.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:301'624 bytes
First seen:2024-06-11 17:08:30 UTC
Last seen:2024-06-11 17:22:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 6144:1FeiEu4A/6RirwBfYbv64ATs+XBOL6JEQR3YWOLwD:Gil4pZ1Yzug+XEkIWEw
Threatray 916 similar samples on MalwareBazaar
TLSH T17F5402166EC0DCBBE89F10758172A91E8FF08807A5460B4F677D3ED9B931742492E6EC
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon a6ae5596aa96ae00 (1 x GuLoader)
Reporter malwarelabnet
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
348
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b.exe
Verdict:
Malicious activity
Analysis date:
2024-06-11 17:12:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ddd69d3d-ed2f-4e82-a858-3db1eb8983ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Adware.Johnnie-6912799-0
Create hunting rule

SecuriteInfo.com.Trojan.NSIS.Injector.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666885185c0e232c1ff04d8awin7simulatehigh_evasion
Tags:
Encryption Execution Network Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a file
Delayed reading of the file
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/666884b16b8dba248b3f9337/reports/49fdf3a4-d230-4d33-badd-531f29267b5c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e3aa8457-c7ac-4747-8d36-e76395489953
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1455376
Signature
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Mass process execution to delay analysis
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic
Submitted sample is a known malware sample
Switches to a custom stack to bypass stack traces
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1455376 Sample: Bootblacks.exe Startdate: 11/06/2024 Architecture: WINDOWS Score: 100 40 www.funtechie.top 203.161.49.193, 50489, 50490, 50491 VNPT-AS-VNVNPTCorpVN Malaysia 2->40 42 www.lm2ue.us 91.195.240.123, 50493, 50494, 50495 SEDO-ASDE Germany 2->42 44 29 other IPs or domains 2->44 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 3 other signatures 2->56 8 Bootblacks.exe 2 107 2->8         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\BgImage.dll, PE32 8->38 dropped 58 Submitted sample is a known malware sample 8->58 60 Obfuscated command line found 8->60 62 Mass process execution to delay analysis 8->62 64 Switches to a custom stack to bypass stack traces 8->64 12 Bootblacks.exe 8->12         started        16 cmd.exe 1 8->16         started        18 cmd.exe 1 8->18         started        20 271 other processes 8->20 signatures6 process7 dnsIp8 46 drive.google.com 142.251.40.142, 443, 50474 GOOGLEUS United States 12->46 48 drive.usercontent.google.com 142.251.40.193, 443, 50475 GOOGLEUS United States 12->48 66 Maps a DLL or memory area into another process 12->66 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        28 conhost.exe 20->28         started        30 conhost.exe 20->30         started        32 267 other processes 20->32 signatures9 process10
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2024-06-10 12:48:23 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=36xhkgagug7m7kcjk5fxwkreh6ickuhr64sfrpwvxqbxph7kf4fq._file
Verdict:
malicious
Similar samples:
12793dc2882c9b44c06752a4fe39161c77de6075cf859db47715b83708926e9a
GuLoader
2489ed4ad13317146172de6a5c704cc6897ed228f10107c9ec90a7eb142cf84a
GuLoader
30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02
GuLoader
7c9e88afcdeebca3c1f07c6a2c571d2fd51260c6dba7fdf0d2d10999ba23836d
GuLoader
88dab0ee02a70b83cb4c99ffa6e809c2789c9e1d55cdcd92454f73bf9d5effa4
GuLoader
8d4b6402a6c425fd43bcafdcdf6e08033daef3980e25fe7edf457d030736f602
GuLoader
c38606758c66572a12b14f0fff37d2d708cfb7aded6fffe4516f1691f56690c6
GuLoader
c828cbb41945322c3294bd70c8c6423ae001604c3fa725422d0de59dd7e653b7
GuLoader
c99e5d501ac5c8bbe555461e1fbdaab837b6d2da32b272a42050841b0a6f3378
GuLoader
+ 906 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240611-vn422avcmk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/35a16b62-9f7e-42dc-b1f8-054a0b7f3365
Unpacked files
SH256 hash:
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
MD5 hash:
55a26d7800446f1373056064c64c3ce8
SHA1 hash:
80256857e9a0a9c8897923b717f3435295a76002
Detections:
win_qtbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/e4fd850d-247a-477a-b6a7-1014859a759a/
Parent samples :
dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f
e689963b4319dd5d5249ac1c629af5951f4e90db8040bf7ee33492e54c2c6487
bba7b7e91056db7fb6f628ab6478960b96c1a9d8606d6d5b4d74d5043b2bad79
30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02
2952bf5efc5b011349d22cbe6e7a813f0ae014d145f23115184a36a1448262d0
4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787
830b4dcec27e5d45a9bb7bc538fc026e4af5c3a18de4a71e80b066afe059ac54
2db92a3fa08dc8e97b4f2651e9ec1d123d2556ce5bc7ec9474672767f6505e26
f2b345fcebcd9ed2e342399cfe9819abee7c3642efb6279ad3b4c940555d4564
101057440710c8766fc47fb315ba9fb471c633079c034d5d213e3011cfe075a9
252c26a5ea749569e41b4ce291ea4ff21d08ca884123c8ff171433a359455033
601bc4c4ff50e846a29e702f894f72b8cea1c7c200b363795ed7905784dde043
337b4c24e057d2585f87ed8ad3711ea4c59a3ae1b0895176d983bbc0c64a1d11
1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764
f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea
31eb29c56f113f47c0e4d29f346f685db8a00b9394efa9643caafa254f0618d7
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
406a9e03ab016d68a3aa919ac67397a83081f3ef478baf752d90545ec0fac6dc
e1e722daed3f9e886b15a541de7d67a023f42b2af431a5b6879ad7d32a1c36bf
170825eaa838a2e43fc76d3ad458982182f7b5471554ffd993525fd928b21d3d
1d8f40654fc90da579349546b0c74fc7334ad8a6fcbf21f87815715e644950d1
2a089fc9b24c5253a913526be0ac2ee62b911a96645cb70885d678c91dcb83c9
76f267de8fd5fa4744fb8294ee9a4765afeba03b36244527feca60a32df155af
f338b027a3117b82aafca870aaecb64264f238055afd3d598c90ef102092022a
3a66e54745e3455f2a8ecf35cc2ae7f3e4c7f960b547a65a55ac8ee4209b37e4
a7d2ea641dbc8e50000e6b42c9cca200fa25d5e37ddd1857eb489795ab5564ee
8e90738e8d2c488ac315737c15f39a977d989200cdb20b42a63a1f7bc8438a1e
f214476db64248c82861c7b27fd55186beaf2e292cbe013d47f17305c3b2e95d
8da8762a0f3794de100bd1800856136928880e8a9d0be42eb758809bca1bd0e3
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
ec06ca55bb1ff5e2c51e7756302a11bfc5341b6baa323788d93d646bd84602da
9a66af305ab345c37b408f496c0ad1251e1346f41586742df225af2c6564d576
9b2665438001f2c82c0737efac921004f3435efb29d1edffede8e45683a164a9
SH256 hash:
d0607e535ff5573638ee1d70612e2239d5cb3c87307f48cfd57aa1c5cc0d9524
MD5 hash:
24db082241ace4aca15bdf1e8460c92b
SHA1 hash:
d317ef130af6ea6a72a958eee20a58568d38f23d
Link:
https://www.unpac.me/results/e4fd850d-247a-477a-b6a7-1014859a759a/
SH256 hash:
bf0cf3990c6c23dd91ec21071c31537f36355b6d6900358e1536b9a377427619
MD5 hash:
26fc881f84b7f9081cf6b58ab8f9ec08
SHA1 hash:
c4424b9a716392228d55f7d067592d77e9d1b5d2
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/e4fd850d-247a-477a-b6a7-1014859a759a/
Parent samples :
99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
SH256 hash:
8977064c4011eca5b0cde440b66d878d2af2dc33b10f252e4810d942256be6c1
MD5 hash:
d0b62a08a3d4cd5138dfa54ed7b7511d
SHA1 hash:
fd81fc9953eec3c36768370102b7e4439e00b87b
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/e4fd850d-247a-477a-b6a7-1014859a759a/
SH256 hash:
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
MD5 hash:
21585cb7187fa942d86aef7f61b3fe7e
SHA1 hash:
457dd80fbfd63c41590fddf9ee96c77b8e4d96b6
Link:
https://www.unpac.me/results/e4fd850d-247a-477a-b6a7-1014859a759a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments