MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b32464dfc8aa711a5469780f57ae24ddab4b65cd4eb2d9cb1d6797ce96de57f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b32464dfc8aa711a5469780f57ae24ddab4b65cd4eb2d9cb1d6797ce96de57f
SHA3-384 hash: 1e3efd1e4360f8f0a687da0b0f2ca56120d08ab24ac7152d0633808d5836ce3c655d9a3590c5592eb42dd9c008fd8293
SHA1 hash: a98dfe506f77a7025333986f790e9858b605189b
MD5 hash: 8fb7b0d584386defa56169e341f6ee64
humanhash: king-steak-artist-london
File name:8fb7b0d584386defa56169e341f6ee64.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:172'032 bytes
First seen:2021-10-11 08:07:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ae1930ab190d7663a058f50c2e04145 (2 x RaccoonStealer, 1 x GuLoader)
ssdeep 3072:MGDpmg2Dvm3Dgs2yYPiTRc/bKLZQKsSG:B132rm3DgcYzmL+8G
Threatray 6'226 similar samples on MalwareBazaar
TLSH T1B8F3E3219A70FC26C09548F6FA6080B74B9C6E31FC5516CBF7803F1A75FB7A196603A6
File icon (PE):PE icon
dhash icon 9e9e9a1cc4a43902 (1 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8fb7b0d584386defa56169e341f6ee64.exe
Verdict:
No threats detected
Analysis date:
2021-10-11 08:10:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/800a9e64-5769-4e61-a60a-2e81ea8e3040

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196510/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.1449.22943.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6163f0e79fb4d8593d6155c6/reports/9c21cd43-9ee3-4cfe-b277-57183a49ff13/overview
Result
Threat name:
GuLoader Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/868119
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Yara detected GuLoader
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1604 Sample: hWA2wujmoe.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 31 dypage.duckdns.org 2->31 33 telemirror.top 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 9 other signatures 2->47 9 hWA2wujmoe.exe 1 2->9         started        signatures3 process4 signatures5 49 Self deletion via cmd delete 9->49 51 Tries to detect Any.run 9->51 53 Hides threads from debuggers 9->53 12 hWA2wujmoe.exe 87 9->12         started        process6 dnsIp7 35 dypage.duckdns.org 23.146.242.85, 49776, 80 VDI-NETWORKUS Reserved 12->35 37 5.181.156.229, 49778, 80 MIVOCLOUDMD Moldova Republic of 12->37 39 telemirror.top 104.21.31.246, 49777, 80 CLOUDFLARENETUS United States 12->39 23 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 12->23 dropped 25 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->25 dropped 27 C:\Users\user\AppData\...\ucrtbase.dll, PE32 12->27 dropped 29 56 other files (none is malicious) 12->29 dropped 55 Tries to steal Mail credentials (via file access) 12->55 57 Self deletion via cmd delete 12->57 59 Tries to harvest and steal browser information (history, passwords, etc) 12->59 61 2 other signatures 12->61 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8b32464dfc8aa711a5469780f57ae24ddab4b65cd4eb2d9cb1d6797ce96de57f/
Threat name:
Win32.Trojan.Mucc
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 08:08:09 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
47046d5dfe7ecf45e4c31f25b975af78684f9727b91a7d052b5731e95d2f0a4c
GuLoader
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
GuLoader
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
GuLoader
9bdb2adacff9530fde8a0b020e84188b0b39995db62ba167608d8e2493bd3ee4
GuLoader
ae83f208925ec791bd10f37e0cd1bfc98473ea586c4814288a243c7d579c2e55
GuLoader
afc7d530c112b47cd33295262f533df60f12568ede477091434381b0d6a2cc8c
GuLoader
bd6cf98ff23cdad2f5bb43bb60e61275d8ad1ad7baeb609aa0a812fc048fede0
GuLoader
db48dc160b1f48b8939b0d49c5f0bee2a28bc3b340cff62cea8da50424e1afea
GuLoader
+ 6'216 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/211011-j1ky5sgfdn/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Guloader,Cloudeye
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/0b4c4082-3fe4-4773-83cc-033eb5d25b1b/
SH256 hash:
8b32464dfc8aa711a5469780f57ae24ddab4b65cd4eb2d9cb1d6797ce96de57f
MD5 hash:
8fb7b0d584386defa56169e341f6ee64
SHA1 hash:
a98dfe506f77a7025333986f790e9858b605189b
Link:
https://www.unpac.me/results/0b4c4082-3fe4-4773-83cc-033eb5d25b1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8b32464dfc8aa711a5469780f57ae24ddab4b65cd4eb2d9cb1d6797ce96de57f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 8b32464dfc8aa711a5469780f57ae24ddab4b65cd4eb2d9cb1d6797ce96de57f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1597372/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196510/
  
URLhaus
https://urlhaus.abuse.ch/url/1666938/

Comments