MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 684aa993e575c672c0b509eb310ed408ab8fc1000d00a477a2b8912b30ddccf6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 684aa993e575c672c0b509eb310ed408ab8fc1000d00a477a2b8912b30ddccf6
SHA3-384 hash: 505ee593915994343872ad23fcb215848ac283bf1e22b37342852aeb4a6ca1b13f9157f0895ae266b7651b44f2e3675e
SHA1 hash: b3d389d6225a57375f37e4f89a2fc715faf15613
MD5 hash: a2820b1c92ba20d6d6e537795b78c901
humanhash: eighteen-lactose-eight-lemon
File name:brndesav.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:522'490 bytes
First seen:2023-07-21 13:12:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (293 x GuLoader, 51 x VIPKeylogger, 48 x RemcosRAT)
ssdeep 12288:wT3tfCDvBJuXWUKEen20qb1VpCKJ1ugFKBFmAY:wTN4vBgXGEe2N1y81nFwF1Y
Threatray 860 similar samples on MalwareBazaar
TLSH T122B4F1A567C190CBD1D68872CE06EE6AD521BD365246C72313603EAB7F7FB538A03613
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9f8fbebfbebfbbdd (1 x GuLoader, 1 x Formbook)
Reporter malwarelabnet
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
brndesav.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-21 13:13:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5bb1bf8f-4ff9-4e9d-93ae-5566e78b8887

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/427406/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Leonem.20720.26272.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64ba84277a9c6ddebf0bfe1d/reports/bb9516ad-4fef-4987-89ff-2fd0fdda24bf/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/684aa993e575c672c0b509eb310ed408ab8fc1000d00a477a2b8912b30ddccf6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3baf28ca-a9fc-4fca-b94b-24d79bd55816
Result
Threat name:
GuLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277414
Signature
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1277414 Sample: brndesav.exe Startdate: 21/07/2023 Architecture: WINDOWS Score: 100 32 www.vusujhyf.click 2->32 34 www.viaridesentralasia.com 2->34 36 21 other IPs or domains 2->36 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 4 other signatures 2->56 10 brndesav.exe 1 34 2->10         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\System.dll, PE32 10->30 dropped 68 Tries to detect Any.run 10->68 14 brndesav.exe 6 10->14         started        signatures6 process7 dnsIp8 44 drive.google.com 142.250.184.206, 443, 50261 GOOGLEUS United States 14->44 46 googlehosted.l.googleusercontent.com 172.217.23.97, 443, 50262 GOOGLEUS United States 14->46 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Tries to detect Any.run 14->72 74 Maps a DLL or memory area into another process 14->74 76 Queues an APC in another process (thread injection) 14->76 18 RAVCpl64.exe 14->18 injected signatures9 process10 signatures11 48 Sample uses process hollowing technique 18->48 21 explorer.exe 13 18->21         started        process12 signatures13 58 Tries to steal Mail credentials (via file / registry access) 21->58 60 Tries to harvest and steal browser information (history, passwords, etc) 21->60 62 Writes to foreign memory regions 21->62 64 3 other signatures 21->64 24 explorer.exe 2 1 21->24 injected 28 firefox.exe 21->28         started        process14 dnsIp15 38 www.tuxn1.buzz 170.106.114.35, 50325, 50326, 50327 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 24->38 40 www.49zyw.com 64.32.3.218, 50292, 50293, 50294 ST-BGPUS United States 24->40 42 12 other IPs or domains 24->42 66 System process connects to network (likely due to code injection or exploit) 24->66 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/684aa993e575c672c0b509eb310ed408ab8fc1000d00a477a2b8912b30ddccf6/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-20 21:13:57 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nbfkte7foxdhfqfvbhvtcdwubcvy7qiabuaki55cxciswmg5zt3a._file
Verdict:
unknown
Similar samples:
00d56f9d4e23372133f953d1a0bb58567bc2e9bc34f9e70304116a6382448458
GuLoader
1318b406aebb8aaa85c86870409f2ea28dc40898afc2fc9ec84a9033f54541d9
GuLoader
16bd868c6c2200864825de71892e8802f0f7f243f476dcd38e9d713bb0a5ee44
GuLoader
210d5b19dfc3dff919ba6ed4d76d2aa8becc988dabcca66b247d05c51811434b
GuLoader
39fb90c640f2ee4c2b84536a9b6b5fa48a5f687840db28144acc6eaa2075ffb5
GuLoader
455479a2d31bd901fdff62e67ec93e40f80e5956384e93e5030132d4a490501f
GuLoader
572e8b2c173dc361f25400cbbba7a980cea2dcdf91e1245902f31d05387cec1f
GuLoader
86d4e06d459d993e94c995dc65bf75afbc4f91386ad7b10a1446bbb994c81d64
GuLoader
bebae3e8749062b074318b53acb576d486feeb8bf84cbe644e7e0287e62a9b29
GuLoader
dcc1c76391ceaadb1c6db678ad4811153fa107318b505d642c729abd7fe8cf1e
GuLoader
+ 850 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230721-qfg53seg85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
MD5 hash:
6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 hash:
070ea80e2192abc42f358d47b276990b5fa285a9
Link:
https://www.unpac.me/results/f21cd942-0441-4bdd-b3bc-995b712fc928/
SH256 hash:
684aa993e575c672c0b509eb310ed408ab8fc1000d00a477a2b8912b30ddccf6
MD5 hash:
a2820b1c92ba20d6d6e537795b78c901
SHA1 hash:
b3d389d6225a57375f37e4f89a2fc715faf15613
Link:
https://www.unpac.me/results/f21cd942-0441-4bdd-b3bc-995b712fc928/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/684aa993e575/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/684aa993e575c672c0b509eb310ed408ab8fc1000d00a477a2b8912b30ddccf6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/427406/

Comments