MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd8041671d2c1c0fbd0a5150cbe98a4cde0c437efb56c6b5a0d90f279a38d811. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd8041671d2c1c0fbd0a5150cbe98a4cde0c437efb56c6b5a0d90f279a38d811
SHA3-384 hash: c87335cbfab389f57c00e025e2899c7dc8c95ae0e04af3dc46c76c748c5740e093be6088c4989826c0acf35d70e6f4fb
SHA1 hash: 36a43d564b313bdf3edfa22b8405188491accc52
MD5 hash: 62224343e692daf39da2047e1386ef34
humanhash: lima-gee-delaware-edward
File name:copia de la transferencia.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:834'640 bytes
First seen:2023-07-26 14:48:58 UTC
Last seen:2023-07-26 17:47:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f23f452093b5c1ff091a2f9fb4fa3e9 (276 x GuLoader, 37 x RemcosRAT, 23 x AgentTesla)
ssdeep 12288:dIkdkz6kw3kfkVxkUxkekKkpkRqkwk+kTkZkJkDkqkzkAkkYkk/ck7kAkkPkkjku:dg3MRT3FSf4hAtjaTw0mYgjl1tD
Threatray 1'015 similar samples on MalwareBazaar
TLSH T1B4059E772AC0C7EACFB1BDB2792B48787B666E7B51545457338033C90BF65A39832602
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e00cfce6bee0c00c (6 x GuLoader)
Reporter James_inthe_box
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-11T05:54:03Z
Valid to:2025-11-10T05:54:03Z
Serial number: 6d818685a73548a39a186efea45cc1f4dba3c6f7
Thumbprint Algorithm:SHA256
Thumbprint: 9d1f7339a7d2ee27f08dcc926fd0b7320eec1c0c20ffdbb1d63b6ddb84cd58a9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
copia de la transferencia.exe
Verdict:
Malicious activity
Analysis date:
2023-07-26 14:49:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a1dce94b-68be-47f4-ab3e-7fc336e32bf1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/433941/
Detection(s):
SecuriteInfo.com.W32.Injector.OUAP-9288.5507.32124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Delayed reading of the file
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/fd8041671d2c1c0fbd0a5150cbe98a4cde0c437efb56c6b5a0d90f279a38d811
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f9c8d491-9bc8-4f95-824b-27f7bdfc61d3
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1280269
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1280269 Sample: copia_de_la_transferencia.exe Startdate: 26/07/2023 Architecture: WINDOWS Score: 100 34 www.yokaiph.store 2->34 36 www.wsaas.agency 2->36 38 21 other IPs or domains 2->38 52 Snort IDS alert for network traffic 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 5 other signatures 2->58 10 copia_de_la_transferencia.exe 1 325 2->10         started        signatures3 process4 file5 30 C:\Users\user\...\System.Threading.dll, PE32+ 10->30 dropped 32 C:\Users\user\AppData\Local\...\System.dll, PE32 10->32 dropped 70 Tries to detect Any.run 10->70 14 copia_de_la_transferencia.exe 6 10->14         started        signatures6 process7 dnsIp8 46 drive.google.com 142.250.186.142, 443, 50241 GOOGLEUS United States 14->46 48 googlehosted.l.googleusercontent.com 142.250.186.97, 443, 50242 GOOGLEUS United States 14->48 72 Modifies the context of a thread in another process (thread injection) 14->72 74 Tries to detect Any.run 14->74 76 Maps a DLL or memory area into another process 14->76 78 Queues an APC in another process (thread injection) 14->78 18 RAVCpl64.exe 14->18 injected signatures9 process10 signatures11 50 Sample uses process hollowing technique 18->50 21 mstsc.exe 13 18->21         started        process12 signatures13 60 Tries to steal Mail credentials (via file / registry access) 21->60 62 Tries to harvest and steal browser information (history, passwords, etc) 21->62 64 Writes to foreign memory regions 21->64 66 3 other signatures 21->66 24 explorer.exe 2 1 21->24 injected 28 firefox.exe 21->28         started        process14 dnsIp15 40 www.yokaiph.store 185.27.134.59, 50270, 50271, 50272 WILDCARD-ASWildcardUKLimitedGB United Kingdom 24->40 42 cvanalysiswithai.com 67.20.76.62, 50274, 50275, 50276 UNIFIEDLAYER-AS-1US United States 24->42 44 14 other IPs or domains 24->44 68 System process connects to network (likely due to code injection or exploit) 24->68 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd8041671d2c1c0fbd0a5150cbe98a4cde0c437efb56c6b5a0d90f279a38d811/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 14:47:52 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7waeczy5fqoa7pikkfimx2mkjtpayq367nlmnnna3ehspgry3aiq._file
Verdict:
unknown
Similar samples:
051101f45d03dac4583297cce0d708af562dedfa085b3d9dcfea40be2083e7ab
GuLoader
1769a8993a876094f9a4a9a7ca17ac3d669279178e32c097a3346825f982a2b1
GuLoader
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
GuLoader
529041b4abb84d9d85f97eb0a6fa6e26a5bf8c9f900316430134df6ce7a5a6ff
GuLoader
7d6e9247de0527fa4c0939c4f6e6726a35cb5f39492a7aeab5614ac1ab29b294
GuLoader
9b77dffb83a26f126a334f4dd9de9c8a21802a1b05de3067584ebfa25826f9fa
GuLoader
a2b5ddc4640236c4a5e09ae3418a1243d2ab37fc787999f8a3f8a3ec1f7deece
GuLoader
a88caf11b01cea311aca13b6e757a8974d5033e1acb8749b9d1951ed0d93d44c
GuLoader
ae7a2eab74a6dbeaa780094a1885f588405f0f8eda83910f14e22759d1f1b7aa
GuLoader
ec27e95180289cd7ca8ebfafc4a1ec973448dcda09892716324966ac95ce4a87
GuLoader
+ 1'005 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/230726-r61wjsdg8t/
Behaviour
Enumerates physical storage devices
Checks installed software on the system
Loads dropped DLL
Unpacked files
SH256 hash:
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
MD5 hash:
75ed96254fbf894e42058062b4b4f0d1
SHA1 hash:
996503f1383b49021eb3427bc28d13b5bbd11977
Link:
https://www.unpac.me/results/99d45e53-f5df-41d1-beaa-0ece16a18e6b/
SH256 hash:
fd8041671d2c1c0fbd0a5150cbe98a4cde0c437efb56c6b5a0d90f279a38d811
MD5 hash:
62224343e692daf39da2047e1386ef34
SHA1 hash:
36a43d564b313bdf3edfa22b8405188491accc52
Link:
https://www.unpac.me/results/99d45e53-f5df-41d1-beaa-0ece16a18e6b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fd8041671d2c1c0fbd0a5150cbe98a4cde0c437efb56c6b5a0d90f279a38d811

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/433941/

Comments