MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c95858f8041c0ad9c6e9441e1f7dfa4e70085e4e73378bf2a47a5d4cb53ca2de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c95858f8041c0ad9c6e9441e1f7dfa4e70085e4e73378bf2a47a5d4cb53ca2de
SHA3-384 hash: e9ca6820fc5d63cf075ef12c7384817258cc65c26c3c6c69e2f3925fe634a58f8372b377fcd6449602f88c091778655c
SHA1 hash: 508ec826663658a9430476569611d63022d685b4
MD5 hash: c904b4a7114cdd828f404f381b635e81
humanhash: wyoming-oklahoma-golf-edward
File name:BraveCrashHandler.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'253'888 bytes
First seen:2023-11-28 15:31:19 UTC
Last seen:2023-12-08 13:50:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e5ac8ab7be27ac2d1c548e5589378b6 (11 x GuLoader, 6 x Stealc, 5 x RedLineStealer)
ssdeep 24576:ImCoj3pb47q6eaLRXKKPuG+fk0MCfUor0V7PmUNm+usly4gWtcQN:IgGq6TLlutfck6zmU/uf4gWuQN
TLSH T1BE4533BB5B636504F174213824FF721C2D0ABB5D8ABC41D8B1D1094657BBA82DF1BAF4
TrID 34.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
23.4% (.EXE) Win32 Executable (generic) (4505/5/1)
10.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
10.5% (.EXE) OS/2 Executable (generic) (2029/13)
10.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Xev
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
309
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460984/
Detection(s):
PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% directory
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
enigma lolbin obfuscated packed packed shell32
Link:
https://www.filescan.io/uploads/656607f66d4756846dc3bd7c/reports/90cfaa1d-f6c0-4e86-b28c-a38f3ca2df60/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/c95858f8041c0ad9c6e9441e1f7dfa4e70085e4e73378bf2a47a5d4cb53ca2de
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01f8e920-70ec-4098-bc8a-69ca6c6ea176
Result
Threat name:
Nanominer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349387
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disables the Windows task manager (taskmgr)
Disables UAC (registry)
Drops PE files to the user root directory
Encrypted powershell cmdline option found
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential dropper URLs found in powershell memory
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses whoami command line tool to query computer and username
Very long command line found
Yara detected Nanominer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1349387 Sample: BraveCrashHandler.exe Startdate: 28/11/2023 Architecture: WINDOWS Score: 100 109 Antivirus detection for URL or domain 2->109 111 Antivirus detection for dropped file 2->111 113 Multi AV Scanner detection for dropped file 2->113 115 6 other signatures 2->115 9 BraveCrashHandler.exe 1 2->9         started        12 BraveCrashHandler.exe 2->12         started        14 GoogleCrashHandler64.exe 2->14         started        17 3 other processes 2->17 process3 dnsIp4 141 Detected unpacking (changes PE section rights) 9->141 143 Hides threads from debuggers 9->143 20 cmd.exe 1 9->20         started        145 Multi AV Scanner detection for dropped file 12->145 147 Machine Learning detection for dropped file 12->147 23 cmd.exe 12->23         started        85 C:\Users\user\AppData\Local\...\service.dll, PE32+ 14->85 dropped 87 C:\Users\user\AppData\...\nvrtc64_120_0.dll, PE32+ 14->87 dropped 89 C:\Users\user\...\nvrtc-builtins64_120.dll, PE32+ 14->89 dropped 91 C:\Users\user\AppData\Local\...\dlIhost.exe, PE32+ 14->91 dropped 25 cmd.exe 14->25         started        95 23.56.12.114 AKAMAI-ASUS United States 17->95 97 127.0.0.1 unknown unknown 17->97 93 C:\Users\user\AppData\...\RuntimeBrooker.exe, PE32+ 17->93 dropped 149 Antivirus detection for dropped file 17->149 151 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->151 27 dIlhost.exe 17->27         started        30 cmd.exe 17->30         started        32 conhost.exe 17->32         started        34 6 other processes 17->34 file5 signatures6 process7 dnsIp8 117 Very long command line found 20->117 119 Encrypted powershell cmdline option found 20->119 36 powershell.exe 17 41 20->36         started        41 powershell.exe 4 28 20->41         started        43 powershell.exe 16 9 20->43         started        51 4 other processes 20->51 45 powershell.exe 23->45         started        47 powershell.exe 23->47         started        49 conhost.exe 23->49         started        53 5 other processes 25->53 105 44.196.193.227 AMAZON-AESUS United States 27->105 107 54.83.130.110 AMAZON-AESUS United States 27->107 121 Query firmware table information (likely to detect VMs) 27->121 123 Hides threads from debuggers 27->123 55 4 other processes 30->55 signatures9 process10 dnsIp11 99 52.216.162.237 AMAZON-02US United States 36->99 101 52.216.250.126 AMAZON-02US United States 36->101 103 54.231.202.224 AMAZON-02US United States 36->103 77 C:\Users\usermbmake.exe, PE32 36->77 dropped 79 C:\Users\usermbedit.exe, PE32 36->79 dropped 81 C:\Users\user\...behaviorgraphoogleCrashHandler64.exe, PE32 36->81 dropped 83 3 other malicious files 36->83 dropped 125 Bypasses PowerShell execution policy 36->125 127 Drops PE files to the user root directory 36->127 129 Potential dropper URLs found in powershell memory 36->129 131 Powershell drops PE file 36->131 57 whoami.exe 1 36->57         started        59 chcp.com 1 36->59         started        133 Disables UAC (registry) 41->133 135 Disables the Windows task manager (taskmgr) 41->135 61 chcp.com 41->61         started        137 Creates multiple autostart registry keys 43->137 63 chcp.com 1 43->63         started        139 Uses whoami command line tool to query computer and username 45->139 65 powershell.exe 45->65         started        73 3 other processes 45->73 67 chcp.com 47->67         started        69 chcp.com 1 51->69         started        71 chcp.com 1 51->71         started        file12 signatures13 process14 process15 75 conhost.exe 65->75         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c95858f8041c0ad9c6e9441e1f7dfa4e70085e4e73378bf2a47a5d4cb53ca2de
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c95858f8041c0ad9c6e9441e1f7dfa4e70085e4e73378bf2a47a5d4cb53ca2de/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-25 13:22:47 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zfmfr6aedqfntrxjiqpb67p2jzyaqxsoom3yx4vepjouznj4ulpa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/231128-sylmbsbb6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Blocklisted process makes network request
Downloads MZ/PE file
Unpacked files
SH256 hash:
c95858f8041c0ad9c6e9441e1f7dfa4e70085e4e73378bf2a47a5d4cb53ca2de
MD5 hash:
c904b4a7114cdd828f404f381b635e81
SHA1 hash:
508ec826663658a9430476569611d63022d685b4
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/d7ff20d1-0c08-4636-bddf-62e99fea0cfb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c95858f8041c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c95858f8041c0ad9c6e9441e1f7dfa4e70085e4e73378bf2a47a5d4cb53ca2de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 3aaeda2f9d9086b9960c4d19e18fbd3b0033de7fc43dbf3b647f70a9ac0926f2

GuLoader

Executable exe c95858f8041c0ad9c6e9441e1f7dfa4e70085e4e73378bf2a47a5d4cb53ca2de

(this sample)

  
Dropped by
SHA256 3aaeda2f9d9086b9960c4d19e18fbd3b0033de7fc43dbf3b647f70a9ac0926f2
Cape
Cape
https://www.capesandbox.com/analysis/460984/
  
Dropped by
MD5 cab9ec528dab8361797680046e26a13a

Comments