MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de8e56619f525bc15263e75b427b91cd06dd3b5e510388707625b5e680bc6191. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de8e56619f525bc15263e75b427b91cd06dd3b5e510388707625b5e680bc6191
SHA3-384 hash: 91d75dae50b946597f27c38647749c1c7b1af058f5c90a3fde8d3a96dc1ab60dcd8f63fefeb93f7f3c62cbfac16c34d1
SHA1 hash: 5e9117ecdcfa9528b1ef0cda8b2cf748b04bd41f
MD5 hash: 2d270313021eda875ac1e9c1364f18a1
humanhash: december-uranus-berlin-social
File name:de8e56619f525bc15263e75b427b91cd06dd3b5e510388707625b5e680bc6191
Download: download sample
Signature GuLoader
Create hunting rule
File size:667'826 bytes
First seen:2024-08-06 14:44:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 57e98d9a5a72c8d7ad8fb7a6a58b3daf (60 x GuLoader, 20 x AZORult, 12 x RemcosRAT)
ssdeep 12288:i6N62KsJbrUhVoaD+hjQ/Pnnye5zVA/jXtz/YNu3:i6N62KBxahwn7Ar9zoi
Threatray 1'368 similar samples on MalwareBazaar
TLSH T122E47BB2A3172CF6F91B517D94364B429763EC6686E0221B312DB5362C7336348FB91B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 7a7a62fa9efaf2c0 (1 x GuLoader)
Reporter adrian__luca
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
357
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.254.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b236f2aa5b40be0a9faf1c
Tags:
Encryption Execution Sonbokli
Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66b236f399ea8891b191ef15/reports/b4513d8b-552b-4624-bad6-bdd5d3f8c955/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/de8e56619f525bc15263e75b427b91cd06dd3b5e510388707625b5e680bc6191
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8cf9d2b8-09c9-45ff-9aba-9410dadd19d0
Result
Threat name:
GuLoader, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1488832
Signature
AI detected suspicious sample
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488832 Sample: D2MCMOElH7.exe Startdate: 06/08/2024 Architecture: WINDOWS Score: 100 42 reallyfreegeoip.org 2->42 44 checkip.dyndns.org 2->44 46 3 other IPs or domains 2->46 54 Found malware configuration 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 Multi AV Scanner detection for submitted file 2->58 62 7 other signatures 2->62 10 D2MCMOElH7.exe 23 2->10         started        signatures3 60 Tries to detect the country of the analysis system (by using the IP) 42->60 process4 file5 36 C:\Users\user\AppData\...\Misocapnic.Lin, ASCII 10->36 dropped 66 Suspicious powershell command line found 10->66 14 powershell.exe 20 10->14         started        signatures6 process7 file8 38 C:\Users\user\AppData\...\D2MCMOElH7.exe, PE32 14->38 dropped 40 C:\Users\...\D2MCMOElH7.exe:Zone.Identifier, ASCII 14->40 dropped 68 Writes to foreign memory regions 14->68 70 Found suspicious powershell code related to unpacking or dynamic code loading 14->70 72 Hides threads from debuggers 14->72 74 Powershell drops PE file 14->74 18 wab.exe 17 10 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 48 reallyfreegeoip.org 188.114.97.3, 443, 49740, 49741 CLOUDFLARENETUS European Union 18->48 50 checkip.dyndns.com 193.122.6.168, 49739, 49742, 49744 ORACLE-BMC-31898US United States 18->50 52 2 other IPs or domains 18->52 64 Hides threads from debuggers 18->64 24 cmd.exe 1 18->24         started        26 cmd.exe 1 18->26         started        signatures12 process13 process14 28 conhost.exe 24->28         started        30 choice.exe 1 24->30         started        32 conhost.exe 26->32         started        34 reg.exe 1 1 26->34         started       
Score:
80%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/de8e56619f525bc15263e75b427b91cd06dd3b5e510388707625b5e680bc6191
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de8e56619f525bc15263e75b427b91cd06dd3b5e510388707625b5e680bc6191/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-07-30 13:07:41 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
21 of 38 (55.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=32hfmym7kjn4cutd45nue64rzudn2o26kebyq4dwew26naf4mgiq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
083a3fd47e58d83c6a4265bcb00f93d30cc2901d6637ae9648411e83d3ad5017
GuLoader
121dae49dacf1290b5ef4de577a01161b523d9edf8564fa765e7c00ac6c3b862
GuLoader
28e90ac25cc8dcdb8b16cb3403e695b191965e3bfc1f832fcd412177633852d4
GuLoader
3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1
GuLoader
7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9
GuLoader
91189e4ad3fe8d5b0479e18402677fcc4279c859a02b05168a44f92cf932be07
GuLoader
de8e56619f525bc15263e75b427b91cd06dd3b5e510388707625b5e680bc6191
GuLoader
e8c869ce645ed191a49065b3b51790b0d502f7045e9040aefdef98d697e47caf
GuLoader
ffa97f0d01eac4cde4fcb0d949b4931d9f74dd1c1c7f75839b532a4b3c52e3c1
GuLoader
+ 1'358 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger discovery execution keylogger persistence stealer
Link:
https://tria.ge/reports/240806-r4p19svhra/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot7366173110:AAGGKTc2nhGmJLj3PoBWBj4vSVimYOtLHyA/sendMessage?chat_id=5061956073
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a92e9e5e-a7a7-481b-bad5-d962f780eb26
Unpacked files
SH256 hash:
de8e56619f525bc15263e75b427b91cd06dd3b5e510388707625b5e680bc6191
MD5 hash:
2d270313021eda875ac1e9c1364f18a1
SHA1 hash:
5e9117ecdcfa9528b1ef0cda8b2cf748b04bd41f
Link:
https://www.unpac.me/results/b86fc49e-fd7e-492e-9c44-c76b006e5bf7/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/de8e56619f52/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de8e56619f525bc15263e75b427b91cd06dd3b5e510388707625b5e680bc6191

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:NSIS_GuLoader
Create hunting rule
Author:NDA0E
Description:Detects GuLoader using NSIS
Rule name:NSIS_GuLoader_July_2024
Create hunting rule
Author:NDA0E
Description:Detects GuLoader packed with NSIS installer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments