MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0cfaaad0273ec801827d319a3fba208da4a0231dab739635c24be3707c69279. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	f0cfaaad0273ec801827d319a3fba208da4a0231dab739635c24be3707c69279
SHA3-384 hash:	f8abe0d5a75d7ef4f9442610852faa8b57bc1eefd38a110f9b01bcd8aeabc631352a92eca8ca7d0ae858c98102735c34
SHA1 hash:	44d5567c47013bdf2b594c0854a70414cc6046cc
MD5 hash:	a400bdbdbecc3e00da0d11b577fb1788
humanhash:	charlie-april-mountain-tennessee
File name:	Pepsico RFQ PLLC105009207.com
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	310'392 bytes
First seen:	2022-04-05 12:45:43 UTC
Last seen:	2022-04-12 13:49:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	3072:sfY/TU9fE9PEtuPVClzZxWckN7sFIrbESgCzopj5y6ZRTg2mP7wBo+N9X22SR+2R:aYa6NN+k9gb5/ZRTrawBo0XBQWA/
Threatray	10'487 similar samples on MalwareBazaar
TLSH	T13164D0C0F918916DEC739A3514268ABE1A6BEC3FC295339B36C0B78D0C71163563EB59
File icon (PE):
dhash icon	69d4f0ce8cc0e061 (2 x GuLoader, 1 x Formbook)
Reporter	madjack_red
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	TVRFAGETS
Issuer:	TVRFAGETS
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-04-05T05:14:48Z
Valid to:	2023-04-05T05:14:48Z
Serial number:	00
Intelligence:	325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	4926ba35e0e8dc0c05454388dfbe56509120047b7a37ef53e996ded5c95e50cd
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

279

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Pepsico LLC RFQ Information.img

Verdict:

Malicious activity

Analysis date:

2022-04-05 08:50:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f72090e8-207a-4d98-a507-c13c48c7a6a0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/260942/

Detection(s):

SecuriteInfo.com.Trojan.Win32.GuLoader.ac.31972.22398.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/12697/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/624c3a1040ce5db9f40e942e/reports/0777c5b6-45a6-4d8a-bd71-3ed04163cfcd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b9c64fe3-70e1-4228-b4ba-e6990c276161

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/970817

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f0cfaaad0273ec801827d319a3fba208da4a0231dab739635c24be3707c69279/

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2022-04-05 12:46:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6dh2vlicopwiagbh2mm2h65cbdneuarr3k3tsy24es7dob6gsj4q._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

253f3e1ffc17c3ef73f007378392b6b18c856f03175e978572bc3f105b3754a2

GuLoader

39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5

GuLoader

3b71cc76f43648f26823ecf65fc133a9da6f03fb55f6f9ca0627824ee8862c6b

GuLoader

67732ae3efbde55f0ea32af1488f1a430943f4402b1f2ce163058f5ec76146de

GuLoader

a319ca95679f9e8a30001a66ec55403a08be8c7398916746baea02c6c6539d02

GuLoader

ae971526492d43606efd2d0f37ac9b262618a28274887388a7c7f9f095942a81

GuLoader

bd19d09ab53cc302c33c6ed5461aae7df3d0a62e0666f0b21f873c17c6f9f0fd

GuLoader

d3f274d21027d5681449dfb2573c6ac9510c12592f0eb7f5045f9f951b6dd894

GuLoader

ee23fa71bea1f05017e21b38e7592db6334a0fc4e9e44bb48452b40a4ddf0677

GuLoader

+ 10'477 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:formbook family:guloader campaign:eo22 downloader rat spyware stealer trojan

Link:

https://tria.ge/reports/220405-pzl3psehe8/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Loads dropped DLL

Formbook Payload

Formbook

Guloader,Cloudeye

Unpacked files

SH256 hash:

8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

MD5 hash:

cff85c549d536f651d4fb8387f1976f2

SHA1 hash:

d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

Link:

https://www.unpac.me/results/adc84922-3d82-416d-8983-464878450759/

SH256 hash:

f0cfaaad0273ec801827d319a3fba208da4a0231dab739635c24be3707c69279

MD5 hash:

a400bdbdbecc3e00da0d11b577fb1788

SHA1 hash:

44d5567c47013bdf2b594c0854a70414cc6046cc

Link:

https://www.unpac.me/results/adc84922-3d82-416d-8983-464878450759/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f0cfaaad0273ec801827d319a3fba208da4a0231dab739635c24be3707c69279

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/260942/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample