MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f46d8267eb7fe636d2c5183100bc97e4a93b3a21c5d15661a3dc49ae891f621d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f46d8267eb7fe636d2c5183100bc97e4a93b3a21c5d15661a3dc49ae891f621d
SHA3-384 hash: a7fdf59b60746f245c1d9cbd39d67df273c7b6c59dbc8e13c66d6a4f15beafdc025ef2f98c2126abe5e47b7c7ebe1ca9
SHA1 hash: c88b36241f52e1ea2184ca7a165d61ab24c6feca
MD5 hash: a601020eda09717c7e87392d5b0f90d5
humanhash: east-washington-oxygen-kilo
File name:Vaskekummen.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:401'664 bytes
First seen:2022-09-05 11:42:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (388 x GuLoader, 59 x RemcosRAT, 44 x VIPKeylogger)
ssdeep 6144:8LsBN8xoIiL54j0CCRALS9f1nNI8w3KAdgZ6V/a56Eq8C+QFwKWkJ3CPf:HBoj0CfuNI8e9d+V56uoJ3af
Threatray 1'227 similar samples on MalwareBazaar
TLSH T1A884F1836954A9E2E8A9547244670BF317357C3E97C1862332D8BF3B79A3352D70E21A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 7c5ccdbf8eacd4d4 (3 x GuLoader)
Reporter adrian__luca
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Kartoteksoplysningernes Centralkomiteerne
Issuer:Kartoteksoplysningernes Centralkomiteerne
Algorithm:sha256WithRSAEncryption
Valid from:2022-03-24T18:25:21Z
Valid to:2025-03-23T18:25:21Z
Serial number: -011c2946ad52c952
Thumbprint Algorithm:SHA256
Thumbprint: be2109eca84d4cb6920af212ac0e94870521978766de6ddea5d3aaa7e090a0a6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
376
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Vaskekummen.exe
Verdict:
Malicious activity
Analysis date:
2022-09-05 11:45:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5592c573-12ca-4539-a7d2-b5eba2039c07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307849/
Detection(s):
Porcupine.Unclassified.12055.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36672/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6315e1242916aa42940e6561/reports/32cdc2fb-9317-4d05-a701-b7820291429f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/032f0246-000e-4b6a-b10b-953ad47be0e0
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065073
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 697599 Sample: Vaskekummen.exe Startdate: 05/09/2022 Architecture: WINDOWS Score: 100 58 www.wigginsllc.biz 2->58 60 www.trilliontrees.club 2->60 62 41 other IPs or domains 2->62 82 Snort IDS alert for network traffic 2->82 84 Multi AV Scanner detection for domain / URL 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 9 other signatures 2->88 11 Vaskekummen.exe 5 31 2->11         started        signatures3 process4 file5 50 C:\Users\user\AppData\Local\...\System.dll, PE32 11->50 dropped 52 C:\Users\user\AppData\Local\...\msadox28.tlb, PE32+ 11->52 dropped 104 Tries to detect Any.run 11->104 15 Vaskekummen.exe 6 11->15         started        signatures6 process7 dnsIp8 70 googlehosted.l.googleusercontent.com 172.217.18.1, 443, 49758, 49795 GOOGLEUS United States 15->70 72 drive.google.com 216.58.212.174, 443, 49755, 49794 GOOGLEUS United States 15->72 74 Modifies the context of a thread in another process (thread injection) 15->74 76 Tries to detect Any.run 15->76 78 Maps a DLL or memory area into another process 15->78 80 2 other signatures 15->80 19 explorer.exe 1 6 15->19 injected signatures9 process10 dnsIp11 64 www.heatedaffsirs.com 185.53.179.172, 49787, 49788, 49821 TEAMINTERNET-ASDE Germany 19->64 66 www.jzzikao.com 117.18.11.106, 49776, 80 SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong Hong Kong 19->66 68 19 other IPs or domains 19->68 48 C:\Users\user\AppData\...\1bxlpbmxb6qlt.exe, PE32 19->48 dropped 90 System process connects to network (likely due to code injection or exploit) 19->90 92 Benign windows process drops PE files 19->92 24 mstsc.exe 1 12 19->24         started        27 1bxlpbmxb6qlt.exe 18 19->27         started        file12 signatures13 process14 file15 94 Tries to steal Mail credentials (via file / registry access) 24->94 96 Tries to harvest and steal browser information (history, passwords, etc) 24->96 98 Writes to foreign memory regions 24->98 102 3 other signatures 24->102 30 cmd.exe 2 24->30         started        34 cmd.exe 1 24->34         started        36 cmd.exe 1 24->36         started        38 firefox.exe 24->38         started        54 C:\Users\user\AppData\Local\...\System.dll, PE32 27->54 dropped 100 Tries to detect Any.run 27->100 40 1bxlpbmxb6qlt.exe 27->40         started        signatures16 process17 file18 56 C:\Users\user\AppData\Local\Temp\DB1, SQLite 30->56 dropped 106 Tries to harvest and steal browser information (history, passwords, etc) 30->106 42 conhost.exe 30->42         started        44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        108 Tries to detect Any.run 40->108 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f46d8267eb7fe636d2c5183100bc97e4a93b3a21c5d15661a3dc49ae891f621d/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2022-08-31 10:31:32 UTC
File Type:
PE (Exe)
Extracted files:
85
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6rwyez7lp7tdnuwfdayqbpex4sutworbyxivmynd3re25ci7mioq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0f9a3149d869c89dce449fb41b56ac6d1d92cd86ebed8b480094efde569074c9
GuLoader
275db34b1b3d894ed18fba50f477ca897bb3656682c7d0ef2941bd7c696e9f80
GuLoader
595f2ae803f01eba157b6deff4687380346e15609e43cc05b541b527bb7292eb
GuLoader
5fd8c33a5491be40bb0685430728361feb280f92f318f7f0a327bd63fca86f99
GuLoader
78fc852976d4f8e68360f4bd282b78abb21f7aa02b52cf885203b43d0838c5ef
GuLoader
7d99aa5b81da99461aa61d5542cabce7bc5ffedc56cd1c1d9d6e58e242b38802
GuLoader
9eb36da080a9a28d471c577177dd331643d47eff7f9cfe35f96586eb27d202f8
GuLoader
a18ab93f8c9268841b6cd59842a935651d9267fa2b8f72b2196cf68f7b57df9d
GuLoader
e5653285dfebc9a95f3a866693752e3f0e62ae312aaf054249067e22cf5836a5
GuLoader
fe00f0b94120e6994117bf92c39940b5a499821e3684163cae07a8fb0ea1c5f1
GuLoader
+ 1'217 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/220905-nvkteaahh4/
Behaviour
Enumerates physical storage devices
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
MD5 hash:
17ed1c86bd67e78ade4712be48a7d2bd
SHA1 hash:
1cc9fe86d6d6030b4dae45ecddce5907991c01a0
Link:
https://www.unpac.me/results/e9e1cf70-7980-49bf-9a39-f901d8e9ae70/
SH256 hash:
f46d8267eb7fe636d2c5183100bc97e4a93b3a21c5d15661a3dc49ae891f621d
MD5 hash:
a601020eda09717c7e87392d5b0f90d5
SHA1 hash:
c88b36241f52e1ea2184ca7a165d61ab24c6feca
Link:
https://www.unpac.me/results/e9e1cf70-7980-49bf-9a39-f901d8e9ae70/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f46d8267eb7fe636d2c5183100bc97e4a93b3a21c5d15661a3dc49ae891f621d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe f46d8267eb7fe636d2c5183100bc97e4a93b3a21c5d15661a3dc49ae891f621d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/307849/

Comments