MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fed0556f87884c7d40eadd3e2f22d432da0b5854edda4404a936f5b66e00b534. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fed0556f87884c7d40eadd3e2f22d432da0b5854edda4404a936f5b66e00b534
SHA3-384 hash: b97a61376c4f40efd47d2e85ba3a653b4222186dad45843e3d81d7f2df6536ba884a4e5343455c2e12695c259ceae876
SHA1 hash: 2692590176abf1deaba1ffe4ce6b2e5255a0af64
MD5 hash: f166d6ae311679fb81b13c340d0e7738
humanhash: colorado-ohio-oxygen-diet
File name:invoice4346.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:386'948 bytes
First seen:2023-07-10 12:22:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b40f29cd171eb54c01b1dd2683c9c26b (45 x GuLoader, 16 x RemcosRAT, 15 x VIPKeylogger)
ssdeep 6144:/oShfEPZVheNA+ff03IvTWR1wHa98hU3DHCMf6rbZX:QqCnhe2e42Czw69kgH3fuX
Threatray 3'244 similar samples on MalwareBazaar
TLSH T17B845A9239D975AFEC2F4678035FEAB22A795CE07381086E5F40760D4C3664A80EDDD7
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c88604b919c6c6c0 (77 x GuLoader, 10 x Formbook, 8 x AgentTesla)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice4346.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-10 12:27:31 UTC
Tags:
installer
Link:
https://app.any.run/tasks/66f7c4fa-f17d-43f9-9436-f9d66d6fe9f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/413578/
Detection(s):
SecuriteInfo.com.W32.Trojan.MIVJ-5088.4236.17585.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control guloader lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64abf82d4b573cca625dc133/reports/8094f9dc-e84c-48c4-86a3-4cf7ffa2f262/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/fed0556f87884c7d40eadd3e2f22d432da0b5854edda4404a936f5b66e00b534
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/16c4d274-1e14-401f-8ea3-188ee017f6cd
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1269725
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1269725 Sample: invoice4346.exe Startdate: 10/07/2023 Architecture: WINDOWS Score: 100 40 www.xn--ciqpnj85djnvt4n.com 2->40 42 www.tinyhouseczech.com 2->42 44 18 other IPs or domains 2->44 64 Snort IDS alert for network traffic 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 6 other signatures 2->70 11 invoice4346.exe 4 30 2->11         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\...\Calcars.Mar, data 11->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 11->36 dropped 38 C:\Users\...\System.IO.Compression.Brotli.dll, PE32+ 11->38 dropped 82 Tries to detect Any.run 11->82 15 invoice4346.exe 6 11->15         started        signatures6 process7 dnsIp8 52 drive.google.com 142.250.184.238, 443, 49854 GOOGLEUS United States 15->52 54 googlehosted.l.googleusercontent.com 142.250.185.193, 443, 49855 GOOGLEUS United States 15->54 56 Modifies the context of a thread in another process (thread injection) 15->56 58 Tries to detect Any.run 15->58 60 Maps a DLL or memory area into another process 15->60 62 2 other signatures 15->62 19 RAVCpl64.exe 15->19 injected signatures9 process10 process11 21 cmstp.exe 13 19->21         started        24 autochk.exe 19->24         started        signatures12 72 Tries to steal Mail credentials (via file / registry access) 21->72 74 Tries to harvest and steal browser information (history, passwords, etc) 21->74 76 Writes to foreign memory regions 21->76 78 3 other signatures 21->78 26 explorer.exe 3 1 21->26 injected 30 firefox.exe 21->30         started        process13 dnsIp14 46 www.tinyhouseczech.com 81.91.86.14, 49899, 49900, 49901 WEB4UCZ Czech Republic 26->46 48 www.charchess.xyz 203.161.55.144, 49874, 49875, 49876 VNPT-AS-VNVNPTCorpVN Malaysia 26->48 50 11 other IPs or domains 26->50 80 System process connects to network (likely due to code injection or exploit) 26->80 32 WerFault.exe 4 30->32         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fed0556f87884c7d40eadd3e2f22d432da0b5854edda4404a936f5b66e00b534/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-10 10:10:23 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=73ifk34hrbgh2qhk3u7c6iwuglnawwcu5xneibfjg323m3qawu2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
2cd9e8fc5b73c35422b79574233937370a03f6714ba9e813da80ac2974b4cf91
GuLoader
455479a2d31bd901fdff62e67ec93e40f80e5956384e93e5030132d4a490501f
GuLoader
591ea8c06daef587f239bbaa3d29cb46ccba25ccba58c324441efbaf4c5eb5d8
GuLoader
5edb99afba36f3aa19c0b065b263b65e27d37d588c5441d5f9518e8423480344
GuLoader
7db4eb09d5e3b7b8cb37539295da0190b1c1416898804b297e1bc7b5f5eff9e8
GuLoader
99cd4e51fb0f2d9ba76ee4d12afd5c3cd096f0c390ecf657ea3a3d78158451ef
GuLoader
c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76
GuLoader
df58322b2a0bb94b05101e0139e92fa8fdd9b6603b3cdb4f4bf80b6353d587c1
GuLoader
fabfc52b4f6d55fee942c164fed13e4d2b2654cafeff471a52e13c31384c19ce
GuLoader
+ 3'234 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/230710-pkhfzabb2y/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Unpacked files
SH256 hash:
b9631423a50c666faf2cc6901c5a8d6eb2fecd306fdd2524256b7e2e37b251c2
MD5 hash:
6ad39193ed20078aa1b23c33a1e48859
SHA1 hash:
95e70e4f47aa1689cc08afbdaef3ec323b5342fa
Link:
https://www.unpac.me/results/6fec74e0-5770-496a-818b-e6cbc57bdb5d/
SH256 hash:
fed0556f87884c7d40eadd3e2f22d432da0b5854edda4404a936f5b66e00b534
MD5 hash:
f166d6ae311679fb81b13c340d0e7738
SHA1 hash:
2692590176abf1deaba1ffe4ce6b2e5255a0af64
Link:
https://www.unpac.me/results/6fec74e0-5770-496a-818b-e6cbc57bdb5d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/413578/

Comments