MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51312879e466ced8562644c3253f29931ec838bbe081c638c3f4d98c99644e48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51312879e466ced8562644c3253f29931ec838bbe081c638c3f4d98c99644e48
SHA3-384 hash: 1dad005b98c276caed40c48133cd1bc96b76e7da9254ec51f2867a66e4c82070bbbc815e3e7be6484af2a8070562549d
SHA1 hash: b6a15bee9b4d22e2e70d2770409aec3ef2b22688
MD5 hash: 48f760bc5577570d302503fa46c59acc
humanhash: orange-grey-skylark-network
File name:exploited.xll
Download: download sample
Signature GuLoader
Create hunting rule
File size:2'668'544 bytes
First seen:2022-08-24 05:38:59 UTC
Last seen:2022-08-24 08:31:07 UTC
File type:Excel file xll
MIME type:application/x-dosexec
imphash d4c9759f791ea559bbad095fb49820d9 (14 x AveMariaRAT, 4 x XenoRAT, 2 x XenorRAT)
ssdeep 49152:2ObDyaihHKE3MPxoYm8dIlrhLTIh74ph1j2PCgxbRaiobWnXNs:2ObPihHd3MPy22Why1jBolaio6
Threatray 33 similar samples on MalwareBazaar
TLSH T14EC5F109C3667386E69EA1BDD031FA28023276731A75F2B9BF82E95E10D4717192C71F
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter lowmal3
Tags:GuLoader xll

Intelligence

File Origin
# of uploads :
3
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
exploited.xll
Verdict:
No threats detected
Analysis date:
2022-08-24 05:39:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5613fce2-6270-4d2e-941e-564c89485f89

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.generic.ml.4288.22132.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/51312879e466ced8562644c3253f29931ec838bbe081c638c3f4d98c99644e48/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6305b99413d4422dbbbe2ffd/reports/3dc7a822-3f42-42da-ba4c-522850fd9abc/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1056740
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 689257 Sample: exploited.dll Startdate: 24/08/2022 Architecture: WINDOWS Score: 48 19 Multi AV Scanner detection for submitted file 2->19 7 loaddll64.exe 4 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 regsvr32.exe 3 7->11         started        13 rundll32.exe 1 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe 9->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51312879e466ced8562644c3253f29931ec838bbe081c638c3f4d98c99644e48/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=keysq6pem3hnqvrgitbskpzjsmpmqof34ca4mogd6tmyzglejzea._file
Verdict:
unknown
Similar samples:
02fb8eb6c513e90738234def1f0ee6869d25af749ba3285b9b979ed33c3ec2e9
GuLoader
05dd0699fa283253f95d1c7389baa351bc5406477c036660b3a553e29ca17535
GuLoader
48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b
GuLoader
4d722ed2510391ddcfc520cdfff4d6bd8d4f1366aa50a82a925fc6d35db5f388
GuLoader
5f1ff93cf4eb1ec53402b5bb959a6fd1d4c94fed041606a39d7b334b699514ec
GuLoader
a36e885bc0c8a691dda06f59183df0c1d9aa95d5b3be78e7f15e06112df91dd3
GuLoader
b21d4971ea8d9efdea1ce27b50f8477b4d2227200da98df8842945426a90e7a8
GuLoader
bdd11090b49fbb4ad1ece6a230d6c1046159afaa63b6684531265e65a4486b7a
GuLoader
c7e28f0a0bfd22ba30414be8ecd3a48f9a0453693570994a88c5e50d67b8f492
GuLoader
e8ecf8ebf7cf11d1637372f3b2abe0e63eaf6424756553536b98ddcce8dc4d0a
GuLoader
+ 23 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader persistence
Link:
https://tria.ge/reports/220824-gcagdsghgn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Guloader,Cloudeye
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51312879e466ced8562644c3253f29931ec838bbe081c638c3f4d98c99644e48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Find_Any_Xll_Files
Create hunting rule
Author:David Ledbetter @Ledtech3
Description:Find Any XLL File
Rule name:Hunt_Excel_DNA_Built_XLL_Files
Create hunting rule
Author:David Ledbetter @Ledtech3
Description:Hunt for Excel Addin dll files generated with Excel-DNA builder https://excel-dna.net/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Excel file xll 51312879e466ced8562644c3253f29931ec838bbe081c638c3f4d98c99644e48

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments