MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed791c7130a52e0b4c3fc694e2955936fe0aa0052503d70caa19744de6b15baf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed791c7130a52e0b4c3fc694e2955936fe0aa0052503d70caa19744de6b15baf
SHA3-384 hash: 5ed94a5735b4bb2b7b8b177517ece1a350ab5bcb4a82231e4cd7309bda6107fa21beed8a3d5a75863821ec03d4cba1b9
SHA1 hash: 1203fba19805b8a33c39c39588268f60a61f0872
MD5 hash: f8f22c4c4b54bb78aa18c80bf25f6cdc
humanhash: floor-echo-paris-cold
File name:f8f22c4c4b54bb78aa18c80bf25f6cdc
Download: download sample
Signature GuLoader
Create hunting rule
File size:472'337 bytes
First seen:2022-05-24 19:13:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:73nKn0c4uKYOrtGllOgds8t6YQt89VgZu:73ni0c4f7rtylOSs8N
Threatray 1'882 similar samples on MalwareBazaar
TLSH T19AA4E1135B08487AD87E0F73B01AF6B248726F776960A30F7786B53729B11124A2FDB5
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0e8c8c88e8eb29a (5 x GuLoader)
Reporter zbetcheckin
Tags:32 exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
450
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f8f22c4c4b54bb78aa18c80bf25f6cdc
Verdict:
Malicious activity
Analysis date:
2022-05-24 21:03:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/da51d61f-a21a-41eb-b24e-7930b3929030

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274256/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19914/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/628d2eb86eb3ff326328ade5/reports/543a403e-a21d-4e30-9b25-4676fc1b5f40/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d97e1e1-7736-41d5-b78d-cd30e8826fad
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000990
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 633484 Sample: 2gl1wtChCW.exe Startdate: 24/05/2022 Architecture: WINDOWS Score: 100 56 www.travelchanel3d.com 2->56 58 www.thebeautystore.store 2->58 60 20 other IPs or domains 2->60 80 Snort IDS alert for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 88 9 other signatures 2->88 11 2gl1wtChCW.exe 9 29 2->11         started        signatures3 86 Tries to resolve many domain names, but no domain seems valid 58->86 process4 file5 52 C:\Users\user\AppData\Local\...\System.dll, PE32 11->52 dropped 54 C:\Users\user\AppData\...\System.Net.Quic.dll, PE32+ 11->54 dropped 104 Tries to detect Any.run 11->104 15 2gl1wtChCW.exe 6 11->15         started        signatures6 process7 dnsIp8 68 tuprestamocontarjeta.com.ar 167.250.5.44, 49763, 80 NUTHOSTSRLAR Argentina 15->68 70 Modifies the context of a thread in another process (thread injection) 15->70 72 Tries to detect Any.run 15->72 74 Maps a DLL or memory area into another process 15->74 78 2 other signatures 15->78 19 explorer.exe 1 7 15->19 injected signatures9 76 Tries to resolve many domain names, but no domain seems valid 68->76 process10 dnsIp11 62 www.bctp.xyz 150.109.149.99, 49790, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 19->62 64 www.99221.net 103.212.230.60, 49788, 80 SKHT-ASShenzhenKatherineHengTechnologyInformationCo China 19->64 66 7 other IPs or domains 19->66 44 C:\Users\user\AppData\...\chkdsk9r14nlsp.exe, PE32 19->44 dropped 90 System process connects to network (likely due to code injection or exploit) 19->90 92 Benign windows process drops PE files 19->92 24 raserver.exe 1 18 19->24         started        28 chkdsk9r14nlsp.exe 19 19->28         started        file12 signatures13 process14 file15 46 C:\Users\user\AppData\...\2LMlogrv.ini, data 24->46 dropped 48 C:\Users\user\AppData\...\2LMlogri.ini, data 24->48 dropped 94 Detected FormBook malware 24->94 96 Tries to steal Mail credentials (via file / registry access) 24->96 98 Self deletion via cmd delete 24->98 102 5 other signatures 24->102 30 cmd.exe 2 24->30         started        33 firefox.exe 1 24->33         started        36 cmd.exe 1 24->36         started        50 C:\Users\user\AppData\Local\...\System.dll, PE32 28->50 dropped 100 Tries to detect Any.run 28->100 signatures16 process17 file18 106 Tries to harvest and steal browser information (history, passwords, etc) 30->106 38 conhost.exe 30->38         started        42 C:\Users\user\AppData\...\2LMlogrf.ini, data 33->42 dropped 40 conhost.exe 36->40         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed791c7130a52e0b4c3fc694e2955936fe0aa0052503d70caa19744de6b15baf/
Threat name:
Win32.Downloader.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 19:14:11 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
15 of 26 (57.69%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
1298d5b931dadd03d47b41c51556fb5707a6af6df9b4b483686fdbf155d083fd
GuLoader
19e5b14651f7ad050e2b9dc95e5bb7574a8fdde378bfbc7101ee7e2276c23d62
GuLoader
2e93c7a4fbfb9407abd40c065b13cd3a4438483f008a06f2c692fc41b2d6dfee
GuLoader
5810b0d44b3328dead0b3bc7fc6c3178193a1bd88c5b21ecaea224f56cc7aef3
GuLoader
8db83c5c1507e0307df594c1f068faef19e6e3377dd8d6ed3c9610b70bf93356
GuLoader
aac13b3f25b043fcc1baaa1481ab241a4845ff0d978fe86a455deaf28cedd352
GuLoader
ca5cc4f7922dfbfe895bf8421366260ca591ae794e04de9fbf1e3ccc2b2530db
GuLoader
+ 1'872 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220524-xxmv8aabdr/
Behaviour
Enumerates physical storage devices
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
5ce19d99f7236a2e446ad52be180aeb5709046b0bd616092f8c6dfe84a415bce
MD5 hash:
6f16880467cd3de4191fd566eb5a03c5
SHA1 hash:
de649329ea07c6b76e6b0a529521a3fa87843cb2
Link:
https://www.unpac.me/results/1e33e688-2ef1-409f-9130-d41189876f62/
SH256 hash:
ed791c7130a52e0b4c3fc694e2955936fe0aa0052503d70caa19744de6b15baf
MD5 hash:
f8f22c4c4b54bb78aa18c80bf25f6cdc
SHA1 hash:
1203fba19805b8a33c39c39588268f60a61f0872
Link:
https://www.unpac.me/results/1e33e688-2ef1-409f-9130-d41189876f62/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed791c7130a52e0b4c3fc694e2955936fe0aa0052503d70caa19744de6b15baf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe ed791c7130a52e0b4c3fc694e2955936fe0aa0052503d70caa19744de6b15baf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2209718/
Cape
Cape
https://www.capesandbox.com/analysis/274256/

Comments


Avatar
zbet commented on 2022-05-24 19:13:42 UTC

url : hxxp://103.149.13.182/diskoncloud/.svchost.exe