MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b408b7181ab5d530e5da80967be73f858ed93a2cfd172131bcea8f073164a5a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b408b7181ab5d530e5da80967be73f858ed93a2cfd172131bcea8f073164a5a0
SHA3-384 hash: a4c4fe967cc091ced5aa8aa9fa2efb04fccd0db9db8105944b0cd927f0f3fb88c3361f9a0ca1f90451c55aa977a3a898
SHA1 hash: c7549e4c7fd7738afc34857626d6a43587f2d533
MD5 hash: f0135e14840c350c60176002d74c6d0a
humanhash: happy-avocado-robin-missouri
File name:%D0%A1hr%D0%BEm%D0%B5S%D0%B5tup.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:9'784'480 bytes
First seen:2023-09-03 14:05:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21314122cd4542a6b9b297f52a87acbe (3 x GuLoader, 2 x LummaStealer, 2 x ConnectWise)
ssdeep 49152:tWtfl3xiDZjSPQaLOpU0dpBYYZFfsqWGXwuO6Bpp5eIMXYpnF4tk11zppI04zmHz:wtfl0kYax0dMiNsqWGXwtyqIMa
Threatray 25 similar samples on MalwareBazaar
TLSH T12BA67C30EA44012BCE8313BBAD6646D3A92CD621131221DBF6DD175D1BA74D8933EF6E
TrID 72.6% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
15.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter monitorsg
Tags:ClearFake exe GuLoader


Avatar
monitorsg
hXXps://raw.githubusercontent[.]com/vangguardadomorrisseyney32/dust-0001/main/d.txt (Injected) --> hXXps://gkrokbmrkmrxtmxrxr[.]space/vvmd54/ --> hXXps://ewkekezmwzfevwvwvvmmmmmmwfwf[.]site/ZgbN19Mx (Keitaro) --> hXXps://ewkekezmwzfevwvwvvmmmmmmwfwf[.]site/lander/chrome/_index.php (landing) --> hXXps://stats-best[.]site/fp.php (fingerprint) --> hXXps://zcj9na.bn.files.1drv[.]com (download)

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
df4a92d5-b291-4c30-9158-74f67299ebf3
Verdict:
Malicious activity
Analysis date:
2023-09-03 14:06:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ee8f41eb-c871-474f-93ee-a9845576c440

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445855/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/b408b7181ab5d530e5da80967be73f858ed93a2cfd172131bcea8f073164a5a0
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/996e6877-03e9-491a-b9b2-8cf420df0dd6
Result
Threat name:
n/a
Detection:
suspicious
Classification:
troj
Score:
27 / 100
Link:
https://www.joesandbox.com/analysis/1302418
Signature
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b408b7181ab5d530e5da80967be73f858ed93a2cfd172131bcea8f073164a5a0/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-09-03 14:06:13 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wqeloga2wxktbzo2qclhxzz7qwhnsorm7ulscmn45khqomleuwqa._file
Verdict:
unknown
Similar samples:
082ac271e7068243ead494e9447288e5969d22bc461e6de9dd1203145a203a73
GuLoader
5bcc5718b11d0e933930934805ea3f1dcb888dd19eb9dd75574ef425e704d799
GuLoader
9d2321341dc5804543514a81cab9aac8dbc52466c77bad98a3835819cb9d9c7d
GuLoader
a69e7a0ef0e1cbd6f95b5fbea1a9c297d49bac80bc158b0016b8381081015def
GuLoader
bd043af859a796897462ed7a5aadb1c4a145f67f01a00c49b45a4b80564da6bb
GuLoader
bf13eb2026e85f67cbe27ba0ba349a615776976ae8c47ae979335a7d556e04bc
GuLoader
c9094685ae4851fd5a5b886b73c7b07efd9b47ea0bdae3f823d035cf1b3b9e48
GuLoader
d4923d3747714d0d8c1f6a2ceec5ec15c6290b030e828429fd39edcd49ccf27d
GuLoader
e6ca97018621d4cab0eca8eeda2a5df23b4b35ac544a6e39a19207b847874c59
GuLoader
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230903-red8gaad5y/
Behaviour
Enumerates physical storage devices
Unpacked files
SH256 hash:
b408b7181ab5d530e5da80967be73f858ed93a2cfd172131bcea8f073164a5a0
MD5 hash:
f0135e14840c350c60176002d74c6d0a
SHA1 hash:
c7549e4c7fd7738afc34857626d6a43587f2d533
Link:
https://www.unpac.me/results/6dfbe56d-f4ca-4de2-9c03-9bf276ace6e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b408b7181ab5d530e5da80967be73f858ed93a2cfd172131bcea8f073164a5a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:Cerberus
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Cerberus
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GuLoader
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
Author:ditekSHen
Description:Detects executables containing possible sandbox analysis VM usernames
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:unknown_dropper
Create hunting rule
Author:#evilcel3ri
Description:Detects an unknown dropper
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe b408b7181ab5d530e5da80967be73f858ed93a2cfd172131bcea8f073164a5a0

(this sample)

  
Link
https://infosec.exchange/@monitorsg/111001594953501610
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/445855/

Comments