MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c67a7f28876787d1318b3491da81db5fd8f3bcf65007e3a4ca76b2681b2d0865. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c67a7f28876787d1318b3491da81db5fd8f3bcf65007e3a4ca76b2681b2d0865
SHA3-384 hash: cbfdc06ddba48bc6f5db7eabcca32fc14fb64f64a89f828a082f5d3f485408a383e2325ee481f8472c12e263d8602575
SHA1 hash: 3af48615c7fde623ae8dc20c427330e2f3182d0f
MD5 hash: f835122d4d9660bc6f72050e5b455863
humanhash: high-saturn-kilo-eleven
File name:f835122d4d9660bc6f72050e5b455863
Download: download sample
Signature GuLoader
Create hunting rule
File size:406'607 bytes
First seen:2023-07-04 07:13:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ed0d71376e55d58ab36dc7d3ffda898 (133 x GuLoader, 28 x RemcosRAT, 23 x AgentTesla)
ssdeep 6144:tGC7W7BUkJqZ8y8RhrCUVmO2tC88F7y58pHCej8jFWaQWMqYRmtfXO+7F6u/UvgE:/a7NkuhqkIftNsvg4kwxlpjU7qxfv7
Threatray 56 similar samples on MalwareBazaar
TLSH T17B840183F081B7B7D42B8436E1573FB6DB35ADB641452A11F7C8B22BB8B39923616113
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a2a6aca4a4c4a6d4 (2 x GuLoader)
Reporter zbetcheckin
Tags:32 exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
00029982771.xls
Verdict:
Malicious activity
Analysis date:
2023-07-04 05:48:07 UTC
Tags:
exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/d22c33e7-72c2-4d51-9393-c0b1d3a82c7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/406286/
Detection(s):
SecuriteInfo.com.NSIS.TrojanX-gen.7856.19280.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Searching for the window
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64a3c6bb51710bcd8d441dc9/reports/707e0b22-ecf0-4c99-a1db-31dcb78886e6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/c67a7f28876787d1318b3491da81db5fd8f3bcf65007e3a4ca76b2681b2d0865
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bf626a28-5251-4bf1-b6db-5d9e1cefab62
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1266411
Signature
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1266411 Sample: ugxpidcfyi.exe Startdate: 04/07/2023 Architecture: WINDOWS Score: 56 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected GuLoader 2->22 7 ugxpidcfyi.exe 6 50 2->7         started        process3 file4 18 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->18 dropped 10 powershell.exe 7 7->10         started        12 powershell.exe 7 7->12         started        process5 process6 14 conhost.exe 10->14         started        16 conhost.exe 12->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c67a7f28876787d1318b3491da81db5fd8f3bcf65007e3a4ca76b2681b2d0865/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2023-07-03 12:38:37 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yz5h6kehm6d5cmmlgsi5vao3l7mphphwkad6hjgko2zgqgznbbsq._file
Verdict:
malicious
Similar samples:
1a0fbb826190090ae7c31547cab7a1ae8097c8b6acb61e8ad20412a371b7bbb3
GuLoader
74fdc92935d1df1effa73c9a1dee11c520f97ab33eac58c0870fc675360a5cf1
GuLoader
9a928bf2d0e31a7cb31b1e48d9e532058ad20fd7b37a3aa39fc759112f0d3150
GuLoader
a0f8fb030ff558cd599c4504fdecaeacac21157b6047dcbde11a4adb776823fd
GuLoader
aba19cc38e4985676b27e5a87d4e11c8bdbb8ee25f27b0482512153bb8483f0c
GuLoader
bb3cb5be98fc254bec5899931148664dd131b1eb5e847a67bab5a4fb8aa56e66
GuLoader
bbdfcbd086cb7e16f98e050d8f77cc3b0961c4d7b6b96dde3f6e89009c7dab74
GuLoader
ce4ae17d3b147555a3dd78f30ef0c24732324d42971d90e73cda8bd087c34953
GuLoader
+ 46 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/230704-h2mzfsbe23/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks installed software on the system
Loads dropped DLL
Unpacked files
SH256 hash:
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d
MD5 hash:
fa299e199922b3ba833be655a8d71b75
SHA1 hash:
4d74c53bb6927a2831df93af26f3e4e4fb007797
Link:
https://www.unpac.me/results/6d1a5071-535c-4c5b-a135-076a4e053c8e/
SH256 hash:
028ef8be1b5fde98e789234628996c87ac44d5d263951c7cc095cb9ff88669a0
MD5 hash:
ae5528c6e6ed4800ad8ab3024d69a5b0
SHA1 hash:
0117b68606f584bf4769584025ea36c524169cea
Link:
https://www.unpac.me/results/6d1a5071-535c-4c5b-a135-076a4e053c8e/
SH256 hash:
49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d
MD5 hash:
fa299e199922b3ba833be655a8d71b75
SHA1 hash:
4d74c53bb6927a2831df93af26f3e4e4fb007797
Link:
https://www.unpac.me/results/6d1a5071-535c-4c5b-a135-076a4e053c8e/
SH256 hash:
028ef8be1b5fde98e789234628996c87ac44d5d263951c7cc095cb9ff88669a0
MD5 hash:
ae5528c6e6ed4800ad8ab3024d69a5b0
SHA1 hash:
0117b68606f584bf4769584025ea36c524169cea
Link:
https://www.unpac.me/results/6d1a5071-535c-4c5b-a135-076a4e053c8e/
SH256 hash:
c67a7f28876787d1318b3491da81db5fd8f3bcf65007e3a4ca76b2681b2d0865
MD5 hash:
f835122d4d9660bc6f72050e5b455863
SHA1 hash:
3af48615c7fde623ae8dc20c427330e2f3182d0f
Link:
https://www.unpac.me/results/6d1a5071-535c-4c5b-a135-076a4e053c8e/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe c67a7f28876787d1318b3491da81db5fd8f3bcf65007e3a4ca76b2681b2d0865

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2676317/
Cape
Cape
https://www.capesandbox.com/analysis/406286/

Comments


Avatar
zbet commented on 2023-07-04 07:13:05 UTC

url : hxxp://194.59.218.151/Brassate.exe