MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fea65dd4a03abde027b70a55e0e20ebb9c90caa45099ad3b8590e92f73dbd3d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fea65dd4a03abde027b70a55e0e20ebb9c90caa45099ad3b8590e92f73dbd3d6
SHA3-384 hash: 924ce39eb0a83cbb2304df910644837209f2e423ab0a783f4dd4403dfdb29b8fbd113026f3973fa59c4abe4d491d388d
SHA1 hash: 2537483fa23a2d8ec472f3e81ea2de323856d0fb
MD5 hash: ed61febcba66f166082b96a553f2cb33
humanhash: black-leopard-eleven-low
File name:hkcmd.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:335'920 bytes
First seen:2023-06-01 11:16:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (295 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 6144:sBefKbrrroNGI1tFA83et3JLa/Ia7H+UQqsHHkrPAimUL:BarrroNZx7kZxkXxsHErPAim+
Threatray 1'561 similar samples on MalwareBazaar
TLSH T11964DF162164BC43CC0C6DF1386B96DDAD671E7046AD463AEFD03A193B31B0FE71A292
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c0c4f47864647864 (4 x GuLoader, 3 x Loki, 3 x AgentTesla)
Reporter JAMESWT_WT
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-06-05T03:05:18Z
Valid to:2025-06-04T03:05:18Z
Serial number: 0ac66d88ae2fb5f0789d5b4a93b5dd1a1466e0e1
Thumbprint Algorithm:SHA256
Thumbprint: 8093914f3d086f6ad0a62138d0ecd29da132d518eaf07d1185e1d1995fff9dd7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hkcmd.exe
Verdict:
Malicious activity
Analysis date:
2023-06-01 11:16:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/55ea6d9b-b469-4ec4-939b-6e9224991959

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/394366/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.31020.16397.20236.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88916/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
buer lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64787e2eb9bd75d40def8aa8/reports/6ad22885-50ee-4d15-bab5-a1674763ab67/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/fea65dd4a03abde027b70a55e0e20ebb9c90caa45099ad3b8590e92f73dbd3d6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/23bedcd8-b489-44c9-9dd9-9f4c6d232d1e
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1246742
Signature
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 879758 Sample: hkcmd.exe Startdate: 01/06/2023 Architecture: WINDOWS Score: 100 32 www.yahialocation.com 2->32 34 www.wirsindvereinigung.com 2->34 36 16 other IPs or domains 2->36 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 4 other signatures 2->52 8 hkcmd.exe 1 29 2->8         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\System.dll, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\totype.dll, PE32+ 8->30 dropped 56 Tries to detect Any.run 8->56 12 wlanext.exe 13 8->12         started        15 hkcmd.exe 6 8->15         started        18 autofmt.exe 8->18         started        signatures6 process7 dnsIp8 58 Tries to steal Mail credentials (via file / registry access) 12->58 60 Tries to harvest and steal browser information (history, passwords, etc) 12->60 62 Writes to foreign memory regions 12->62 70 3 other signatures 12->70 20 explorer.exe 3 1 12->20 injected 24 RAVCpl64.exe 12->24 injected 26 firefox.exe 12->26         started        44 103.167.90.55, 49779, 80 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 15->44 64 Tries to detect Any.run 15->64 66 Maps a DLL or memory area into another process 15->66 68 Sample uses process hollowing technique 15->68 signatures9 process10 dnsIp11 38 www.wirsindvereinigung.com 81.19.154.98, 49813, 49814, 49815 WORLD4YOUAT Austria 20->38 40 www.martmill.xyz 67.223.117.37, 49805, 49806, 49807 VIMRO-AS15189US United States 20->40 42 12 other IPs or domains 20->42 54 System process connects to network (likely due to code injection or exploit) 20->54 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fea65dd4a03abde027b70a55e0e20ebb9c90caa45099ad3b8590e92f73dbd3d6/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-01 11:17:05 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=72tf3vfahk66aj5xbjk6byqoxoojbsvekcm22o4fsdus64632pla._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0a83a6c897b43357c341190cc93e0310cc8063f4e569853aba1c912ede95229f
GuLoader
0b79991d57a301d4cdf1d4cf7234d2ad5afe5a3895e75b9c12d4bd16a385389a
GuLoader
1d500cd661df7071f1ff76b19067cef40b5a0ab4b4a9ac26425dcdbac6eb7e7e
GuLoader
2bc537df04cceb724dbfd9b6bb93a837f184bf5f1b759b3cb9f474d94a1acec2
GuLoader
3faa50f804161625bca7b0f900367c6f6f127a40a0914cdf2d47a463d69795b6
GuLoader
44328ff389f8b9fb0679290b9848395d930dd57cf30eb76d16af61289e6ba2c7
GuLoader
6e7f8ff3782bb90e21df7fd4f7b61369e10b3965cde2cab0c24d6876809afb4e
GuLoader
bc348990c0e735b8de2b3a92a45d1025d62b8e0ce23c364cdc9467aa566efc48
GuLoader
d71677cc4b276a3ecc1de38281a1d88410be241c11422b2b55147bede496355a
GuLoader
e6e7575f09a3e973c9b315f3206448f9ddd04b3b8ca39d126e02bad763a17948
GuLoader
+ 1'551 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/230601-ndpe9sea36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
MD5 hash:
3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 hash:
fe582246792774c2c9dd15639ffa0aca90d6fd0b
Link:
https://www.unpac.me/results/5573bdbc-ec1f-4c4e-a00e-0d3b1a074af4/
SH256 hash:
fea65dd4a03abde027b70a55e0e20ebb9c90caa45099ad3b8590e92f73dbd3d6
MD5 hash:
ed61febcba66f166082b96a553f2cb33
SHA1 hash:
2537483fa23a2d8ec472f3e81ea2de323856d0fb
Link:
https://www.unpac.me/results/5573bdbc-ec1f-4c4e-a00e-0d3b1a074af4/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fea65dd4a03a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fea65dd4a03abde027b70a55e0e20ebb9c90caa45099ad3b8590e92f73dbd3d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe fea65dd4a03abde027b70a55e0e20ebb9c90caa45099ad3b8590e92f73dbd3d6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2648844/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/394366/

Comments