MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db95b1fd14afe70b52d79131a53865993353ccfc5070146615a7c4f1a115d1bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db95b1fd14afe70b52d79131a53865993353ccfc5070146615a7c4f1a115d1bb
SHA3-384 hash: 862587d8f759b5c78b8ea7dfe16b2beb2b02da253b53d359f018f83d846a03cc1bacf05d6ec117d2e1b09357c1acfbcf
SHA1 hash: a44dcf96e96da092364feb71bd352fd3aed572b6
MD5 hash: 6e2421f828be0a979def8c0ddfa6d4e5
humanhash: golf-fillet-alanine-happy
File name:№ 254 Минерал Армения.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:389'448 bytes
First seen:2023-07-31 06:27:05 UTC
Last seen:2023-07-31 08:58:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eae418c7423834ffc3d79b4300bd6fb (60 x GuLoader, 21 x RemcosRAT, 18 x AgentTesla)
ssdeep 6144:BicFyrvy4vZAIMIN9Rg9G6Vvyk6NuuAv1Yc6XPeeRDk6nrR79XJ6MObBSaZnlgKH:8v5ZB9RG6TA9YrVDNrRpXsMuBSMlgK5N
Threatray 429 similar samples on MalwareBazaar
TLSH T15F8402435761A803FAD7093509FEAFB5FDB78C51317C822B17722A693A25F90724AF42
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0e4caccccacd870 (4 x GuLoader, 1 x NanoCore)
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-05-16T23:31:30Z
Valid to:2026-05-15T23:31:30Z
Serial number: 73cb7318a97d3b0b66eb1fcc4bbd394d64902499
Thumbprint Algorithm:SHA256
Thumbprint: 6703304582ee150b24646ae6a3c4ff06aa3e5099205e142220f4db867dd99ef6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
272
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
№ 254 Минерал Армения.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-31 06:30:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7ecfa61f-eb97-490a-8637-53fc352b3136

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439265/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/db95b1fd14afe70b52d79131a53865993353ccfc5070146615a7c4f1a115d1bb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b7f6ebf7-67ae-463b-9c50-757fc2352c40
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1282891
Signature
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db95b1fd14afe70b52d79131a53865993353ccfc5070146615a7c4f1a115d1bb/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 05:48:48 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ok3d7iuv7tqwuwxsey2kodftezvhth4kbybizqvu7cpdiiv2g5q._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
5b71ca8477aec239a3024551bfadd54156121e3cb394509d0642241048fc2b83
GuLoader
666f6668173354a8778b1d470f245c39116b67ad41e15d16b99d9ef69d794185
GuLoader
89599ae785aa5f919018882cd10534cbae8ac89047ebbeda0b232d52fa545944
GuLoader
b0fb2b621554e7ec448b02a2a0fd62e4930db4625dee899b52d20aa2c9a457ad
GuLoader
b9772355669f37cc643520569eb699b6bd00e96999495404977d082b0ef4fbaf
GuLoader
bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350
GuLoader
d1c0a7043a069e8e3c7e63d87c918d0613be1e4c6c1d0fe4fd05addbfe4367fa
GuLoader
e9e52f7f7442fd3bf5330794843a393c1b2e4e0fd462a153daaf89e4d1109d27
GuLoader
+ 419 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/230731-g8bpbsch68/
Behaviour
Enumerates physical storage devices
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
MD5 hash:
8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 hash:
7cc1caaa747ee16dc894a600a4256f64fa65a9b8
Link:
https://www.unpac.me/results/cbe14587-500c-4b4c-9b7f-cdc4f436a683/
SH256 hash:
db95b1fd14afe70b52d79131a53865993353ccfc5070146615a7c4f1a115d1bb
MD5 hash:
6e2421f828be0a979def8c0ddfa6d4e5
SHA1 hash:
a44dcf96e96da092364feb71bd352fd3aed572b6
Link:
https://www.unpac.me/results/cbe14587-500c-4b4c-9b7f-cdc4f436a683/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe db95b1fd14afe70b52d79131a53865993353ccfc5070146615a7c4f1a115d1bb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/439265/

Comments