MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 893e517f08913e1199a8c77dcc77302c7474cfe4f202c956f4d602d38d777b42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 893e517f08913e1199a8c77dcc77302c7474cfe4f202c956f4d602d38d777b42
SHA3-384 hash: 4bee6887270973e728657feb643774cecb39c5459f9403d35bb5a0602ef4a10311de9da0ec1a046cb699c95cd3e4770c
SHA1 hash: 752c862a154cba230283ca640d8b3395d5d79ee4
MD5 hash: d176d5132b461760213c52d026b04e08
humanhash: dakota-connecticut-fillet-december
File name:d176d5132b461760213c52d026b04e08
Download: download sample
Signature GuLoader
Create hunting rule
File size:2'092'042 bytes
First seen:2024-01-01 04:05:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 671f2a1f8aee14d336bab98fea93d734 (182 x GuLoader, 4 x Formbook, 4 x RemcosRAT)
ssdeep 49152:kaUQl+AMminT6x5fvymhIlbJZ7a07xznKMj5RyXE1ID1PG:xLIAMmuuVwm+xznKMj58aIxPG
Threatray 2 similar samples on MalwareBazaar
TLSH T143A5337482F6AC05D06607B4AF215B30E8D6CC18B166BFE6C650FBB110B7AD53719A8F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Win.Packed.Msilheracles-10017861-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Modifying a system file
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65923a2cb290743934f17ddb/reports/51f48fd4-506b-4f67-b041-77b69dfca30a/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/893e517f08913e1199a8c77dcc77302c7474cfe4f202c956f4d602d38d777b42
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc399e2d-2709-45c2-87bf-6f79834f31c8
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1368473
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368473 Sample: UgiTZxdRHU.exe Startdate: 01/01/2024 Architecture: WINDOWS Score: 64 88 su.eda1.ru 2->88 92 Multi AV Scanner detection for dropped file 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 .NET source code contains potential unpacker 2->96 98 Machine Learning detection for sample 2->98 15 UgiTZxdRHU.exe 6 68 2->15         started        18 KKMAgent.exe 22 2->18         started        20 KKMAgent.exe 15 35 2->20         started        signatures3 process4 dnsIp5 74 C:\Users\user\AppData\...\uninstall.exe, PE32 15->74 dropped 76 C:\Users\user\AppData\Roaming\...\TSCLIB.dll, PE32 15->76 dropped 78 C:\Users\user\AppData\...\SushkofWin32Lib.dll, PE32 15->78 dropped 86 16 other files (14 malicious) 15->86 dropped 80 C:\Users\user\AppData\Local\...\tmpD207.tmp, PE32 18->80 dropped 23 kkm.exe 18->23         started        90 su.eda1.ru 213.189.216.94, 443, 49709, 49711 INTERNET-PRO-ASRU Russian Federation 20->90 82 C:\Users\user\AppData\Local\...\tmpC1D6.tmp, PE32 20->82 dropped 84 C:\Users\user\AppData\...\kkm.exe (copy), PE32 20->84 dropped 26 kkm.exe 24 20->26         started        file6 process7 file8 62 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 23->62 dropped 28 KKMAgent.exe 23->28         started        64 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 26->64 dropped 31 KKMAgent.exe 26->31         started        process9 file10 70 C:\Users\user\AppData\Local\...\tmpD60E.tmp, PE32 28->70 dropped 33 kkm.exe 28->33         started        process11 file12 56 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 33->56 dropped 36 KKMAgent.exe 33->36         started        process13 file14 60 C:\Users\user\AppData\Local\...\tmp21CD.tmp, PE32 36->60 dropped 39 kkm.exe 36->39         started        process15 file16 66 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 39->66 dropped 42 KKMAgent.exe 39->42         started        process17 file18 68 C:\Users\user\AppData\Local\...\tmp4BDB.tmp, PE32 42->68 dropped 45 kkm.exe 42->45         started        process19 file20 72 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 45->72 dropped 48 KKMAgent.exe 45->48         started        process21 file22 54 C:\Users\user\AppData\Local\...\tmp944D.tmp, PE32 48->54 dropped 51 kkm.exe 48->51         started        process23 file24 58 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 51->58 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/893e517f08913e1199a8c77dcc77302c7474cfe4f202c956f4d602d38d777b42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/893e517f08913e1199a8c77dcc77302c7474cfe4f202c956f4d602d38d777b42/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2024-01-01 04:06:11 UTC
File Type:
PE (Exe)
Extracted files:
205
AV detection:
13 of 22 (59.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=re7fc7yise7bdgniy564y5zqfr2hjt7e6ibmsvxu2ybnhdlxpnba._file
Verdict:
unknown
Similar samples:
0eb49cae715e2f31551ea4afa64045540ed77ab891ba1864660b74af64a16971
GuLoader
36b82f3db4e4b1da53252cf0f99ecfab17a09b29783e7c9881f48fe5da6645be
GuLoader
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240101-en3k7sbccq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Unpacked files
SH256 hash:
893e517f08913e1199a8c77dcc77302c7474cfe4f202c956f4d602d38d777b42
MD5 hash:
d176d5132b461760213c52d026b04e08
SHA1 hash:
752c862a154cba230283ca640d8b3395d5d79ee4
Link:
https://www.unpac.me/results/402376e7-6474-42d2-a1b2-6f4227e8eeee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/893e517f08913e1199a8c77dcc77302c7474cfe4f202c956f4d602d38d777b42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 893e517f08913e1199a8c77dcc77302c7474cfe4f202c956f4d602d38d777b42

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2745590/

Comments


Avatar
zbet commented on 2024-01-01 04:05:30 UTC

url : hxxp://su.eda1.ru/dist/kkm/kkm_2337.exe