MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85c6278bc488e1f7de26613f178423e147cdfc63088a9327733b531001496a02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85c6278bc488e1f7de26613f178423e147cdfc63088a9327733b531001496a02
SHA3-384 hash: d3a1d18831d77e832b6e274e68becbf75d952c925f30baa6e9b706a5f80287f09afab7bdff89b4773ef33491ac5ff051
SHA1 hash: 0d711c2b82f6ee9cdbf6c633f56904d61a6d2d27
MD5 hash: 2630ecf7a1104ae0faa91afa5a4f2e55
humanhash: quebec-winter-cat-comet
File name:New order#2_W43.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:166'745 bytes
First seen:2023-04-16 08:33:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e871f39e81b4aa977737b07cee050825 (15 x GuLoader, 3 x Formbook, 2 x RemcosRAT)
ssdeep 3072:8k62PBHHXx4Qsbc4e9QmxqpXDMYDLeXfojMqMPSORRAEs1GREsI:8k62PBHbOy6gqpXDlHUfojMqWrAEEHp
Threatray 563 similar samples on MalwareBazaar
TLSH T1C4F3F29695E6C0F3EFD719701073972B7E666B0290652F0767B46F876C223128C2F1AB
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
501
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New order#2_W43.exe
Verdict:
Malicious activity
Analysis date:
2023-04-16 08:35:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/559dc284-5929-411f-b77a-19064e93d40d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382583/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66343429.14589.28309.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/79877/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/643bb2fbf4a1f6ede14efe16/reports/b0a81797-f72c-4cac-bfd5-43aefefe5b84/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/85c6278bc488e1f7de26613f178423e147cdfc63088a9327733b531001496a02
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa9cbf61-d56d-4e13-8aa6-c825e42f1e2e
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1214567
Signature
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Mass process execution to delay analysis
Multi AV Scanner detection for submitted file
Obfuscated command line found
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 847491 Sample: New_order#2_W43.exe Startdate: 16/04/2023 Architecture: WINDOWS Score: 92 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected GuLoader 2->41 43 2 other signatures 2->43 7 New_order#2_W43.exe 6 36 2->7         started        process3 file4 33 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->33 dropped 35 C:\Users\user\AppData\Local\...\System.dll, PE32 7->35 dropped 45 Obfuscated command line found 7->45 47 Mass process execution to delay analysis 7->47 49 Tries to detect virtualization through RDTSC time measurements 7->49 11 cmd.exe 7->11         started        13 cmd.exe 7->13         started        15 cmd.exe 7->15         started        17 61 other processes 7->17 signatures5 process6 process7 19 Conhost.exe 11->19         started        21 Conhost.exe 13->21         started        23 Conhost.exe 15->23         started        25 Conhost.exe 17->25         started        27 Conhost.exe 17->27         started        29 Conhost.exe 17->29         started        31 58 other processes 17->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85c6278bc488e1f7de26613f178423e147cdfc63088a9327733b531001496a02/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-10 08:47:32 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
10 of 37 (27.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxdcpc6erdq7pxrgme7rpbbd4fd437ddbcfjgj3thnjraakjniba._file
Verdict:
malicious
Similar samples:
13c7efc07da5177178e3ed9b89e4db5726c2839eccd316e504ab090bdbb1b4f6
GuLoader
2be2d9bcf3d560c9976093d25cc1ca8e471c304805cb40b40523998d84dab5e3
GuLoader
664855cad59286954cebcb029394c69ecbaa1045c5688f370f4cf5c289b27962
GuLoader
83104e0cf5b8f50ec9724e7a27ba87ef39ecbfd81d4f456d42b7fd06fd9c28e9
GuLoader
856c3482c119fdecb777d14ef351c90a24a045cf8da8cafbb2d229619cb11bbf
GuLoader
86d7bb37384646a755a03c2f6e743483ee40d5af6f018824e89c54a9308ceecf
GuLoader
a873177a2d1bc01b7f331d6e382c5b38ecade35d8c37af365ea4e631b988e97a
GuLoader
d562c7b5c4664bbf1f6b7c3352fe282711b5cb9cda0df12de08e38cda703b69b
GuLoader
+ 553 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/230416-kgf2hsbb7v/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
b4ec96eda12eb0cbd593d4a65bb9ebb9055244f16a19dc976ba57bc552763419
MD5 hash:
6b174eb4d11c11ad5d8c8653f09e60c3
SHA1 hash:
222b75fa7c03707d8664817a2fd7db142f33867b
Link:
https://www.unpac.me/results/f9a2b7e6-34e1-4358-a464-fa015fff8b91/
SH256 hash:
e32b35cde7c6e2c967445de92884684db7fda506ea52b9aaa74c1a33dd2fdfe6
MD5 hash:
55f18cafe28167995629fdeae4f07bdf
SHA1 hash:
a6bd9310f4408c86149993d1e8833d35dd16bb23
Link:
https://www.unpac.me/results/f9a2b7e6-34e1-4358-a464-fa015fff8b91/
SH256 hash:
a240b154a209f40608d5a12ef6668436591df576382ea7799999775a4610e80c
MD5 hash:
f85dd7d185089406c22ffa0e8dd8787c
SHA1 hash:
378964535320dcc58d1fb1f6ce9fab4a8d26ca44
Link:
https://www.unpac.me/results/f9a2b7e6-34e1-4358-a464-fa015fff8b91/
SH256 hash:
85c6278bc488e1f7de26613f178423e147cdfc63088a9327733b531001496a02
MD5 hash:
2630ecf7a1104ae0faa91afa5a4f2e55
SHA1 hash:
0d711c2b82f6ee9cdbf6c633f56904d61a6d2d27
Link:
https://www.unpac.me/results/f9a2b7e6-34e1-4358-a464-fa015fff8b91/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85c6278bc488/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.43
Link:
https://yomi.yoroi.company/submissions/85c6278bc488e1f7de26613f178423e147cdfc63088a9327733b531001496a02

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 85c6278bc488e1f7de26613f178423e147cdfc63088a9327733b531001496a02

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382583/

Comments