MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 006bf1bbcce9975a267a47c57b2418d136c87dcc0ad30a604e8fa8f99f74d568. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 006bf1bbcce9975a267a47c57b2418d136c87dcc0ad30a604e8fa8f99f74d568
SHA3-384 hash: 14cb84fcdb83dd7b6e68da7208132312c9497f49f56055ccc6a43a523f88930f97d7360e3d7dbb86d7e052bf90c9733c
SHA1 hash: 1b7c067c5672839844553c8e62bdb8c0beb3e36f
MD5 hash: 366e35731abb231a09e25dc7e7e95898
humanhash: sixteen-fix-yankee-single
File name:TRF9107779.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:559'608 bytes
First seen:2023-11-13 14:25:52 UTC
Last seen:2023-11-14 12:37:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f23f452093b5c1ff091a2f9fb4fa3e9 (282 x GuLoader, 37 x RemcosRAT, 27 x VIPKeylogger)
ssdeep 12288:cImEcvtDAQ67pDuku/ZRP99OENXxEA1JTD+6ctTFMvJWvd83V:cpVvNJ67FvsRPnOExmYiNivqmV
Threatray 492 similar samples on MalwareBazaar
TLSH T122C402D43BC29472C437CE33DBB6AFA1AE700E971DD8EDD34540670B2A72B51580A66B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-24T11:48:26Z
Valid to:2025-12-23T11:48:26Z
Serial number: 5cac76cd7c550dc0f8da7433a20770f3dc016d4a
Thumbprint Algorithm:SHA256
Thumbprint: 653e856fa2cfdfcfa3ccb815b87620b96ce7f32ad465062a93d4dc354def4682
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
333
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
TRF9107779.exe
Verdict:
Malicious activity
Analysis date:
2023-11-13 14:26:51 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/30bf22bf-7831-425b-9cb8-e5705b126baa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458349/
Detection(s):
SecuriteInfo.com.Win32.SuspectCrc.9866.27194.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/655231fa993fbf888b73d2a8/reports/51aef6d9-0160-4df4-9d94-cd09f45575cf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/006bf1bbcce9975a267a47c57b2418d136c87dcc0ad30a604e8fa8f99f74d568
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e11aaf3-0948-46a4-b02d-4d15e0672b6a
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1341735
Signature
Antivirus detection for URL or domain
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1341735 Sample: TRF9107779.exe Startdate: 13/11/2023 Architecture: WINDOWS Score: 100 22 server1.sqsendy.shop 2->22 24 fp2e7a.wpc.phicdn.net 2->24 26 4 other IPs or domains 2->26 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 Antivirus detection for URL or domain 2->38 40 6 other signatures 2->40 8 TRF9107779.exe 1 31 2->8         started        signatures3 process4 process5 10 powershell.exe 20 8->10         started        file6 20 C:\Users\user\AppData\...\TRF9107779.exe, PE32 10->20 dropped 42 Writes to foreign memory regions 10->42 44 Maps a DLL or memory area into another process 10->44 46 Found suspicious powershell code related to unpacking or dynamic code loading 10->46 48 Powershell drops PE file 10->48 14 MSBuild.exe 15 8 10->14         started        18 conhost.exe 10->18         started        signatures7 process8 dnsIp9 28 server1.sqsendy.shop 63.250.35.178, 49739, 587 NAMECHEAP-NETUS United States 14->28 30 api4.ipify.org 64.185.227.156, 443, 49738 WEBNXUS United States 14->30 32 coinnbaservgloalpha.grgurina.com 199.204.248.133, 443, 49737 AS17054US United States 14->32 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->52 54 Tries to steal Mail credentials (via file / registry access) 14->54 56 Tries to harvest and steal browser information (history, passwords, etc) 14->56 signatures10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/006bf1bbcce9975a267a47c57b2418d136c87dcc0ad30a604e8fa8f99f74d568
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/006bf1bbcce9975a267a47c57b2418d136c87dcc0ad30a604e8fa8f99f74d568/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-11-13 11:00:35 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=abv7do6m5glvujt2i7cxwjay2e3mq7ombljquycor6upth3u2vua._file
Verdict:
unknown
Similar samples:
1e08bbecaa308b4390f6313410fb0f23c47c989e1a247c21fd0ab26b72f666c6
GuLoader
466a8e22e7c7b6f48e4ad215d7366ef595748a37f4ce4a50449ecc89fbe16d2b
GuLoader
49a73b28d4122d560e987d24674e9e5e0038aa6c56e83e07b43c383b5b29ff44
GuLoader
52b0f189a1e266fd5e8ebbb97d116c47a28842eea388669753657342a9dc4083
GuLoader
69b1f9d8334bb44d7b7f10a9efc31ad30cfe72ded8bd3e4a6da67b71a2bd485d
GuLoader
69c845dfc6e399c55730f8ffe5a7c822f3b36f94cf5905415d8b673e9f391329
GuLoader
ac1f084845ff5e15e2e7748d5ca4ebfc36334b62e02d51d1ddb17c8fcf7bb210
GuLoader
b20c6f8b483814a96dcf489365aab049a9b6cf9f165b02c087dad363594fad65
GuLoader
+ 482 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231113-rrttpadb2w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla
Guloader,Cloudeye
Unpacked files
SH256 hash:
006bf1bbcce9975a267a47c57b2418d136c87dcc0ad30a604e8fa8f99f74d568
MD5 hash:
366e35731abb231a09e25dc7e7e95898
SHA1 hash:
1b7c067c5672839844553c8e62bdb8c0beb3e36f
Link:
https://www.unpac.me/results/a9ca5251-bb84-4fcb-8963-6ff269c9b536/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/006bf1bbcce9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/006bf1bbcce9975a267a47c57b2418d136c87dcc0ad30a604e8fa8f99f74d568

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/458349/

Comments