MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d89afcb5a9cd0b710f6790931566822009c12fa344857e1c35791181035f21ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d89afcb5a9cd0b710f6790931566822009c12fa344857e1c35791181035f21ce
SHA3-384 hash: fc196d8547204ed41074b43f7765377d60785f8d770bcbea83546d141762e7cd2bddfab93a99615ab6b95e7995f41afa
SHA1 hash: 68bb59a46e052682bac47255f221ddb61c4ca188
MD5 hash: 71b0545cfd5a7b63459d13e350a9438c
humanhash: beryllium-robert-uniform-kansas
File name:Demande de devis (GUICHON 080421).exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:114'688 bytes
First seen:2021-08-05 06:24:01 UTC
Last seen:2021-08-05 07:21:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b947ef57db12504396f2fb768b954d80 (5 x GuLoader)
ssdeep 1536:KXJ+JzBQTy3SNUWHH4/cJ0psUpJY/gg74aS:EMJ9QTDeiHggoX
Threatray 5'482 similar samples on MalwareBazaar
TLSH T1DBB31AB0B6E3545AF365C33D0737855BC5E33833550E992EA008AB390135B8EBB9967B
dhash icon 8000f2e8ccd4e8ba (5 x GuLoader)
Reporter TeamDreier
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Demande de devis (GUICHON 080421).exe
Verdict:
No threats detected
Analysis date:
2021-08-05 06:30:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4cb3a837-7735-4cff-afc8-9e40a12989a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176532/
Detection(s):
SecuriteInfo.com.__vbaHresultCheck.30449.26873.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/813df959-d83c-4089-bc3c-2e632aaa6489
Result
Threat name:
GuLoader AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spre.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827854
Signature
GuLoader behavior detected
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460289 Sample: Demande de devis (GUICHON 0... Startdate: 06/08/2021 Architecture: WINDOWS Score: 100 26 Multi AV Scanner detection for submitted file 2->26 28 Sigma detected: RegAsm connects to smtp port 2->28 30 GuLoader behavior detected 2->30 32 3 other signatures 2->32 7 Demande de devis (GUICHON 080421).exe 1 2->7         started        process3 signatures4 34 Writes to foreign memory regions 7->34 36 Tries to detect Any.run 7->36 38 Hides threads from debuggers 7->38 10 RegAsm.exe 9 7->10         started        14 RegAsm.exe 7->14         started        16 RegAsm.exe 7->16         started        process5 dnsIp6 20 brimaq.com 78.128.8.31, 49706, 587 TELEPOINTBG Bulgaria 10->20 22 googlehosted.l.googleusercontent.com 142.250.186.33, 443, 49705 GOOGLEUS United States 10->22 24 3 other IPs or domains 10->24 40 Tries to steal Mail credentials (via file access) 10->40 42 Tries to harvest and steal ftp login credentials 10->42 44 Tries to harvest and steal browser information (history, passwords, etc) 10->44 52 2 other signatures 10->52 18 conhost.exe 10->18         started        46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->48 50 Tries to detect virtualization through RDTSC time measurements 14->50 signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d89afcb5a9cd0b710f6790931566822009c12fa344857e1c35791181035f21ce/
Threat name:
Win32.Trojan.Mucc
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 01:55:30 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3cnpznnjzufxcd3hscjrkzuceae4cl5discx4hbvpeiyca27ehha._file
Verdict:
suspicious
Similar samples:
0c8b9ba8bdd9a1d91ba4d61c81480b7337e6189fb0836301d71e90fa6adec8b6
GuLoader
145140cd633a7bf56dc72d7122eab466b85712460a3c33eced6256e18c0407c6
GuLoader
4ef5d20300b62654c4816aa089e9acf5fad299d6e13b12a7b6036e9ba9a6a7f2
GuLoader
55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
GuLoader
6141efb6f1598e2205806c5a788e61c489440dfc942984ee1688bb68ad0f18df
GuLoader
9435308eb1024c0e11753dc2412b9243af69d7388817e3aebc59a4a58f2ec372
GuLoader
96b039e90a18d1183d57eacf36c820ccf5526ab01cb498a78468fc4b8181265c
GuLoader
c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee
GuLoader
+ 5'472 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210805-67q3vq1vba/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
d89afcb5a9cd0b710f6790931566822009c12fa344857e1c35791181035f21ce
MD5 hash:
71b0545cfd5a7b63459d13e350a9438c
SHA1 hash:
68bb59a46e052682bac47255f221ddb61c4ca188
Link:
https://www.unpac.me/results/ac6d99ca-4b49-40a7-8b0f-34cb92102d4b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d89afcb5a9cd0b710f6790931566822009c12fa344857e1c35791181035f21ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176532/

Comments