MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebe9964a660c6c7257506706957f6206903770579c92af9d0f0ae7f13f9676e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebe9964a660c6c7257506706957f6206903770579c92af9d0f0ae7f13f9676e1
SHA3-384 hash: 328ca54ee760dfd1908aa16dab6da2642b1367e07d3d1bbf50e417a8ac7290cdc280e898cbce82f3e8a964db8d0cb3c1
SHA1 hash: fa22615028e63837aff52d0abd041f588db7fe5b
MD5 hash: 52c3ef38f5ce148f9e14b859c01584dc
humanhash: oxygen-uranus-romeo-crazy
File name:INVOICE1 AND 2.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:820'595 bytes
First seen:2023-12-11 13:22:52 UTC
Last seen:2023-12-18 08:51:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ed0d71376e55d58ab36dc7d3ffda898 (133 x GuLoader, 28 x RemcosRAT, 23 x AgentTesla)
ssdeep 24576:RfSxsh1/3qFILf6omX30pgFPo0rX6samBS/Lq:NSxsh1/zLf6oe30pFCfrBo
Threatray 755 similar samples on MalwareBazaar
TLSH T16305F2E7C486A3C1EDA091BED95D4952237A3D7FE07ABAC923E155229543022C33BDD3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2b03000101010109 (1 x GuLoader)
Reporter adrian__luca
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
227
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/465141/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the Program Files subdirectories
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/65770ee33f60a810348f200d/reports/da88e5f5-9a2e-4696-9f9d-371c3a4b7564/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ebe9964a660c6c7257506706957f6206903770579c92af9d0f0ae7f13f9676e1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6efc67ab-31ed-434e-b4f1-8efc8367521a
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1360087
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Suspicious powershell command line found
Very long command line found
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ebe9964a660c6c7257506706957f6206903770579c92af9d0f0ae7f13f9676e1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebe9964a660c6c7257506706957f6206903770579c92af9d0f0ae7f13f9676e1/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 02:48:01 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
12 of 23 (52.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5puzmstgbrwhev2qm4djk73ca2ido4cxtsjk7hipblt7cp4wo3qq._file
Verdict:
unknown
Similar samples:
1eda1b310543e616e8b7b97e8e5f13597fb3a67ed9658b3daba2f49361563689
GuLoader
26e297f8f4bf5837af4c8b5132598c2eed45245c4f6baf0e8c960ff2a555989e
GuLoader
47e71db77dc8258663e0715a3b8d4a1c9e105f76a0c771d79654fd03236bfd1e
GuLoader
5f6366e20fde275710415f996748edb9f1091c0b0e47bf2ddc91a59ecd90d54c
GuLoader
6bb2f555edca2bc8b12c33f65b84d05a570043de008ec8d9a31a6b4952f01d02
GuLoader
7384dec8a7a13e1709dff93154c0cd796055798a19fe470f30c211a991d46849
GuLoader
87889f8e467ad320665a7205170c8f238076d87303822694d3064b9511913169
GuLoader
d42cc862ab4fb764a7a376e528a6373d2f939353d8ea223f2b1e1abd28c5cc84
GuLoader
e278ecca391be13103b9584a01fd2bbd4fabdfef4756e3870e48140a304894e2
GuLoader
f2ad5670f46f3be3f5bd5b6bd9d3122dad6a48664bad0e6f4418396e02ab8c00
GuLoader
+ 745 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231211-qqz4mshbg8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
ebe9964a660c6c7257506706957f6206903770579c92af9d0f0ae7f13f9676e1
MD5 hash:
52c3ef38f5ce148f9e14b859c01584dc
SHA1 hash:
fa22615028e63837aff52d0abd041f588db7fe5b
Link:
https://www.unpac.me/results/dcbf9b16-7124-4253-a161-9f7dc85bb3af/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ebe9964a660c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebe9964a660c6c7257506706957f6206903770579c92af9d0f0ae7f13f9676e1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe ebe9964a660c6c7257506706957f6206903770579c92af9d0f0ae7f13f9676e1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/465141/

Comments