MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeecc13b73494e435b8cae2c286e9da374f0ba16eb18509af640a71aa8b11195. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eeecc13b73494e435b8cae2c286e9da374f0ba16eb18509af640a71aa8b11195
SHA3-384 hash: 3eeef1c5e8be0acbbc2d03b5e80fb5d13073c866742583dafa41c4a8b250c61dd1fef0441fb8544e216436a830bc4c9c
SHA1 hash: 10cce22339b26e1a5d794fcab7aa4fa683d30d40
MD5 hash: d5e08c49b1bcb72f9decfc3eddb36655
humanhash: south-crazy-bakerloo-music
File name:dhl-009765.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'000'751 bytes
First seen:2023-03-08 21:06:50 UTC
Last seen:2023-03-08 22:40:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eae418c7423834ffc3d79b4300bd6fb (54 x GuLoader, 17 x RemcosRAT, 16 x AgentTesla)
ssdeep 12288:NGI5oD/F3GaDJNhx2GRUX/03fDzJiYAx5CIuyOeoO2v2WA6AfGRo2BzYjiHkNUO4:NyFWaD7HcmxiPx5C7eG+WGf037z57
Threatray 323 similar samples on MalwareBazaar
TLSH T1CE25018C3550D717EB6454717AD1A11ACD30BDACFC668856BF93B71A683020286FBE3E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DHL exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dhl-009765.exe
Verdict:
Malicious activity
Analysis date:
2023-03-08 21:17:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17879b43-f80f-42a9-a010-6686cb6beee3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372774/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65828614.29231.9841.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a file
Delayed reading of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6408f8fdaa9d4ecc35bc413b/reports/7a3c66d2-cebc-4991-844b-74c1789993f6/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/eeecc13b73494e435b8cae2c286e9da374f0ba16eb18509af640a71aa8b11195
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2d59f3df-8cef-4895-90ab-e26e6f1c73a9
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189814
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 12227 Sample: dhl-009765.exe Startdate: 08/03/2023 Architecture: WINDOWS Score: 100 40 www.themssterofssuepnse.rest 2->40 42 www.themesterofsuepnse.rest 2->42 44 24 other IPs or domains 2->44 62 Snort IDS alert for network traffic 2->62 64 Multi AV Scanner detection for domain / URL 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 6 other signatures 2->68 11 dhl-009765.exe 1 34 2->11         started        signatures3 process4 file5 32 C:\Users\user\Mumruffin\...\series.dll, PE32+ 11->32 dropped 34 C:\Users\user\Mumruffin\...\memstat.dll, PE32+ 11->34 dropped 36 C:\Users\user\...\libgobject-2.0-0.dll, PE32+ 11->36 dropped 38 2 other files (none is malicious) 11->38 dropped 80 Tries to detect Any.run 11->80 82 Opens the same file many times (likely Sandbox evasion) 11->82 15 dhl-009765.exe 6 11->15         started        signatures6 process7 dnsIp8 52 sena-unusual-activity-com.jovannystark.ml 172.67.137.16, 443, 49829 CLOUDFLARENETUS United States 15->52 54 Modifies the context of a thread in another process (thread injection) 15->54 56 Tries to detect Any.run 15->56 58 Maps a DLL or memory area into another process 15->58 60 2 other signatures 15->60 19 RAVCpl64.exe 15->19 injected signatures9 process10 process11 21 ipconfig.exe 13 19->21         started        signatures12 70 Tries to steal Mail credentials (via file / registry access) 21->70 72 Tries to harvest and steal browser information (history, passwords, etc) 21->72 74 Writes to foreign memory regions 21->74 76 3 other signatures 21->76 24 explorer.exe 3 1 21->24 injected 28 firefox.exe 21->28         started        process13 dnsIp14 46 he.adsfzcvx.com 154.210.211.109, 49924, 49925, 49926 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 24->46 48 allthekey.com 92.204.219.113, 49843, 49844, 49845 VELIANET-ASvelianetInternetdiensteGmbHDE Germany 24->48 50 13 other IPs or domains 24->50 78 System process connects to network (likely due to code injection or exploit) 24->78 30 WerFault.exe 4 28->30         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eeecc13b73494e435b8cae2c286e9da374f0ba16eb18509af640a71aa8b11195/
Threat name:
Win32.Packed.Krynis
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 01:16:23 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
14 of 25 (56.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=53wmco3tjfhegw4mvywcq3u5un2pboqw5mmfbgxwictrvkfrcgkq._file
Verdict:
malicious
Similar samples:
10a21f1899dd0e83ead2011c4638017bc4723a06be0c2058a9f3214da4974a8d
GuLoader
1a090934724f507a62abdf0d9b07f477cc504d50b469f52797df17fc8739549a
GuLoader
29da2190a5e040e36cf79c7948eca244100b64eea9236b7279f97381fdc3e695
GuLoader
334911b248ad837e24303037e3733e61b119998dc1e1ce8bf7a444754a4cda01
GuLoader
472e9dd9be99ecc9a99dbed1014492ba726a6038a1e1b76621026d9b3b27fe89
GuLoader
89599ae785aa5f919018882cd10534cbae8ac89047ebbeda0b232d52fa545944
GuLoader
b076cbf14c6f0a9bbb4aaaf8242622cefb6bccdf2aef9e130b48a0552bb5016f
GuLoader
bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350
GuLoader
d8b0bc17d73b611e2ae4ac8addf6a90745af6107cfadffc7cc497a2db38afc87
GuLoader
+ 313 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230308-zydeaaga9x/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Loads dropped DLL
Unpacked files
SH256 hash:
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
MD5 hash:
8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 hash:
7cc1caaa747ee16dc894a600a4256f64fa65a9b8
Link:
https://www.unpac.me/results/b36dd8cc-7f40-4aed-b299-6f24765991a5/
SH256 hash:
eeecc13b73494e435b8cae2c286e9da374f0ba16eb18509af640a71aa8b11195
MD5 hash:
d5e08c49b1bcb72f9decfc3eddb36655
SHA1 hash:
10cce22339b26e1a5d794fcab7aa4fa683d30d40
Link:
https://www.unpac.me/results/b36dd8cc-7f40-4aed-b299-6f24765991a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/eeecc13b73494e435b8cae2c286e9da374f0ba16eb18509af640a71aa8b11195

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372774/

Comments