MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d982b49456267e913a88fa59dc74f405acc6f9f9d27038cf54596523877c799. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d982b49456267e913a88fa59dc74f405acc6f9f9d27038cf54596523877c799
SHA3-384 hash: ad0026a403e1022eb25d7b4b4751a20d2d2e228a979c9fa232cfc53054ad7c6814b6587f932bdf8ccb281543aedffbe5
SHA1 hash: 808aefeb9d7223ebf7e85dc89994d942b1e5cd93
MD5 hash: 6849443aac76a87c853cc7303468d94d
humanhash: cup-shade-georgia-ink
File name:SPECIFICATION.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:363'014 bytes
First seen:2023-08-01 06:16:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 6144:NQ606x3uwLbhTmPEN1OfaF1DghgnI3zWzHiR58QEr6JIyy8r:nhPhqPrfaviz3S8y6By8r
Threatray 789 similar samples on MalwareBazaar
TLSH T199746C49F763ECE9FA664379207159263F819C5FA0D9285C228DFB253C32252509BCFB
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74e4d4d4ecf4d4d4 (23 x GuLoader, 20 x LummaStealer, 19 x AgentTesla)
Reporter lowmal3
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SPECIFICATION.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-01 06:18:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9dd88bf1-306e-41e3-82da-c5f2a04fb07b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439509/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64c8a35f2a568ab215b98ac0/reports/69eddba7-0950-4657-8ec4-5bf6ae6a3244/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/7d982b49456267e913a88fa59dc74f405acc6f9f9d27038cf54596523877c799
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e88eb41f-08ba-4c59-a1e9-d60a7672d145
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1283539
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1283539 Sample: SPECIFICATION.exe Startdate: 01/08/2023 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic 2->67 69 Multi AV Scanner detection for domain / URL 2->69 71 Found malware configuration 2->71 73 6 other signatures 2->73 8 Indwelling.exe 21 2->8         started        12 SPECIFICATION.exe 1 33 2->12         started        14 explorers.exe 21 2->14         started        process3 file4 49 C:\Users\user\AppData\Local\...\System.dll, PE32 8->49 dropped 75 Antivirus detection for dropped file 8->75 77 Multi AV Scanner detection for dropped file 8->77 79 Tries to detect Any.run 8->79 16 Indwelling.exe 8->16         started        51 C:\Users\user\AppData\Local\...\System.dll, PE32 12->51 dropped 20 SPECIFICATION.exe 3 12 12->20         started        53 C:\Users\user\AppData\Local\...\System.dll, PE32 14->53 dropped 23 WerFault.exe 21 14->23         started        25 WerFault.exe 14->25         started        signatures5 process6 dnsIp7 41 C:\Users\user\AppData\...\explorers.exe, PE32 16->41 dropped 61 Creates autostart registry keys with suspicious names 16->61 27 explorers.exe 16->27         started        59 84.38.134.11, 50215, 50222, 80 DATACLUBLV Latvia 20->59 43 C:\Users\user\AppData\...\Indwelling.exe, PE32 20->43 dropped 45 C:\ProgramData\explorers\explorers.exe, PE32 20->45 dropped 47 C:\...\explorers.exe:Zone.Identifier, ASCII 20->47 dropped 63 Creates multiple autostart registry keys 20->63 65 Tries to detect Any.run 20->65 31 explorers.exe 21 20->31         started        file8 signatures9 process10 file11 55 C:\Users\user\AppData\Local\...\System.dll, PE32 27->55 dropped 33 WerFault.exe 27->33         started        35 WerFault.exe 27->35         started        57 C:\Users\user\AppData\Local\...\System.dll, PE32 31->57 dropped 81 Antivirus detection for dropped file 31->81 83 Multi AV Scanner detection for dropped file 31->83 37 WerFault.exe 21 16 31->37         started        39 WerFault.exe 16 31->39         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d982b49456267e913a88fa59dc74f405acc6f9f9d27038cf54596523877c799/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-01 01:20:35 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pwmcwskfmjt6se5ir6sz3r2pibnmy347tutqhdhviwlfeodxy6mq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0394b5d83b6fa63b6c661265ce44b6036027af24c5c316050b607647a73d3541
GuLoader
0f849525b31bc8eb26642e47cdcf9a3b9c945e5e481dd427a3175486278ac2db
GuLoader
7136249249db3d970775998b54eb855fcaf4e53ebed0591a6754ee0c604bb534
GuLoader
84e316ba28c1745989fcba630c13792daa4286bee90d828d9eb6e9f36d86f4fd
GuLoader
8ef00db9712f487dc2bd4329378cb38ba2d1706284658e5e77602cb180ca82d7
GuLoader
c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415
GuLoader
caf073b1d85bc136488382be2c83c264ac64d2df279752341b1c4601c6201a41
GuLoader
d9c35851a578222df21273255d16f3fc4d6ccbf3b6120bf7e1fe1ecbfb534b8f
GuLoader
ffb9192afd43da5c2c43792c31e9595a7c277d8302a3159e9a9935d36b5ebb08
GuLoader
+ 779 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230801-g1191sdg76/
Behaviour
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent file
Loads dropped DLL
Unpacked files
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Link:
https://www.unpac.me/results/f9f5fbf8-6d64-4f6b-8946-f158209344db/
SH256 hash:
7d982b49456267e913a88fa59dc74f405acc6f9f9d27038cf54596523877c799
MD5 hash:
6849443aac76a87c853cc7303468d94d
SHA1 hash:
808aefeb9d7223ebf7e85dc89994d942b1e5cd93
Link:
https://www.unpac.me/results/f9f5fbf8-6d64-4f6b-8946-f158209344db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d982b49456267e913a88fa59dc74f405acc6f9f9d27038cf54596523877c799

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 7d982b49456267e913a88fa59dc74f405acc6f9f9d27038cf54596523877c799

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/439509/

Comments