MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89e2493a09c8a4a6de5198ff6052522953f26b441efe2b19838052fa695f08e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89e2493a09c8a4a6de5198ff6052522953f26b441efe2b19838052fa695f08e9
SHA3-384 hash: 41fb6580776099b5a1bea7bce5d73af48d28ce5c19447ce9028f78daf5d1f7254b83e9c62cc53f37413ffcefbed85881
SHA1 hash: 517359f64e696114a86aa6e174b27a3f1217a27c
MD5 hash: 0773ae53c49b566eb47c1935815eb34c
humanhash: tennessee-october-helium-london
File name:RVSC2107519.xll
Download: download sample
Signature GuLoader
Create hunting rule
File size:9'216 bytes
First seen:2022-05-05 05:21:33 UTC
Last seen:2022-05-05 05:40:54 UTC
File type:Excel file xll
MIME type:application/x-dosexec
imphash 5b93d93d32cd48b4478e2218c8053334 (1 x Smoke Loader, 1 x GuLoader)
ssdeep 192:ofuuiX0ubSoDQMXmA2WjO9r9YQFryrJot6:bhgaXmxWj2hFWyt
TLSH T1BA124C62FFD149F2CF2C03F56976592B862C77108FA10712BB7E661E2F05441F91895E
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:GuLoader xll

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RVSC2107519.xll
Verdict:
Suspicious activity
Analysis date:
2022-05-05 05:27:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ec7a2b23-4373-4be5-a6f6-eb61e3b7b2ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.SUSP_Encoded_Discord_Attachment_Oct21_1.18043.13259.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/89e2493a09c8a4a6de5198ff6052522953f26b441efe2b19838052fa695f08e9/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62735f0337afaeff09c3e1cc/reports/1e2ac306-7961-423a-b013-09ef2f3609d7/overview
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Empire PowerShell Request
Detected a base64 encoded Powershell HTTP request that is likely sourced from Empire.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/988247
Signature
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Malicious encrypted Powershell command line found
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 620750 Sample: RVSC2107519.dll Startdate: 05/05/2022 Architecture: WINDOWS Score: 96 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected GuLoader 2->55 57 C2 URLs / IPs found in malware configuration 2->57 8 loaddll32.exe 1 2->8         started        process3 signatures4 65 Malicious encrypted Powershell command line found 8->65 67 PowerShell case anomaly found 8->67 11 cmd.exe 1 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 rundll32.exe 8->18         started        process5 signatures6 69 Malicious encrypted Powershell command line found 11->69 71 Suspicious powershell command line found 11->71 73 Encrypted powershell cmdline option found 11->73 20 powershell.exe 15 21 11->20         started        75 PowerShell case anomaly found 14->75 25 rundll32.exe 14->25         started        27 cmd.exe 16->27         started        29 cmd.exe 18->29         started        process7 dnsIp8 47 cdn.discordapp.com 162.159.135.233, 443, 49753 CLOUDFLARENETUS United States 20->47 37 C:\Users\user\...\dllhostServicesrun.exe, PE32 20->37 dropped 59 Powershell drops PE file 20->59 31 dllhostServicesrun.exe 1 33 20->31         started        61 Malicious encrypted Powershell command line found 25->61 63 PowerShell case anomaly found 25->63 35 cmd.exe 25->35         started        file9 signatures10 process11 file12 39 C:\Users\user\AppData\Local\Temp\zlib1.dll, PE32+ 31->39 dropped 41 C:\Users\user\AppData\Local\Temp\tapctl.exe, PE32+ 31->41 dropped 43 C:\Users\user\AppData\Local\...\System.dll, PE32 31->43 dropped 45 3 other files (none is malicious) 31->45 dropped 49 Tries to detect virtualization through RDTSC time measurements 31->49 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89e2493a09c8a4a6de5198ff6052522953f26b441efe2b19838052fa695f08e9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-05 01:32:22 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
10 of 25 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rhresoqjzcsknxsrtd7waussffj7e22ed37cwgmdqbjpu2k7bduq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader collection downloader keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220505-f2lqaafbg5/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
AgentTesla
Guloader,Cloudeye
Process spawned unexpected child process
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
https://api.telegram.org/bot5183154375:AAGx7xtuCGbwey9a64d6NbERrOFPRVxdO6Y/sendDocument
Dropper Extraction:
https://cdn.discordapp.com/attachments/965163295852081155/971570561820004352/m3.exe
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/89e2493a09c8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89e2493a09c8a4a6de5198ff6052522953f26b441efe2b19838052fa695f08e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PowerShell_Case_Anomaly
Create hunting rule
Author:Florian Roth
Description:Detects obfuscated PowerShell hacktools
Reference:https://twitter.com/danielhbohannon/status/905096106924761088
Rule name:PowerShell_Susp_Parameter_Combo
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:PowerShell_Susp_Parameter_Combo_RID336F
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:SUSP_Encoded_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments