MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01402a21670aff5459a82853d36167e0226dec7fac8f1ccc5cb94ac2fe421957. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01402a21670aff5459a82853d36167e0226dec7fac8f1ccc5cb94ac2fe421957
SHA3-384 hash: cdc8e6881fa40c43bd5671eb0dfcbdbd3b3424201e9be471c5d0b0faab62566a1357d1b5de9fe5044a6f6b54ed74e5f1
SHA1 hash: b882201e88e5caa040165c17a7f8bb92e2a42ac1
MD5 hash: 894fecff0debb35017b846b249e30bf3
humanhash: mirror-salami-dakota-november
File name:0500_20191029131605_001.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:204'032 bytes
First seen:2022-10-28 18:17:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a4a44a250c4cf4f2d9de2b3fe5d95f (70 x GuLoader, 13 x AgentTesla, 7 x AZORult)
ssdeep 6144:RDSoIKJU3p8FQF4tVvhPuXaWL1kOitZs2:PJUZf4tVsqDtZs2
Threatray 20 similar samples on MalwareBazaar
TLSH T1E014126266F09427EA978972077AB3BEF27FF714182088DF1B607FB50D36267990504B
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-26T11:48:05Z
Valid to:2025-10-25T11:48:05Z
Serial number: 0eafa4f111baaa5c
Thumbprint Algorithm:SHA256
Thumbprint: 62c100c1e5aaae181900573e91977b9c470546bbb451910dc2fd95c267241172
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
0500_20191029131605_001.exe
Verdict:
Malicious activity
Analysis date:
2022-10-28 18:20:08 UTC
Tags:
installer guloader
Link:
https://app.any.run/tasks/12325d1d-36db-4096-b496-9d2c8d264243

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325608/
Detection(s):
SecuriteInfo.com.Adware.Agent.OKV.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/635c1cdb736e9d884f0d79ed/reports/dc45eeab-193d-4b8c-ac91-b398eb0b93fa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/95e592dc-34c2-443c-9692-881add4bce69
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.adwa.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1100555
Signature
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 733216 Sample: 0500_20191029131605_001.exe Startdate: 28/10/2022 Architecture: WINDOWS Score: 100 39 api.telegram.org 2->39 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected GuLoader 2->57 59 3 other signatures 2->59 8 0500_20191029131605_001.exe 2 35 2->8         started        12 NXLun.exe 2 2->12         started        14 NXLun.exe 1 2->14         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\System.dll, PE32 8->33 dropped 61 Writes to foreign memory regions 8->61 63 Tries to detect Any.run 8->63 16 CasPol.exe 18 15 8->16         started        21 CasPol.exe 8->21         started        23 conhost.exe 12->23         started        25 conhost.exe 14->25         started        signatures6 process7 dnsIp8 35 api.telegram.org 149.154.167.220, 443, 49879 TELEGRAMRU United Kingdom 16->35 37 192.227.183.138, 49869, 80 AS-COLOCROSSINGUS United States 16->37 29 C:\Windows\System32\drivers\etc\hosts, ASCII 16->29 dropped 31 C:\Users\user\AppData\Roaming\...31XLun.exe, PE32 16->31 dropped 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->41 43 Tries to steal Mail credentials (via file / registry access) 16->43 45 Creates multiple autostart registry keys 16->45 51 5 other signatures 16->51 27 conhost.exe 16->27         started        47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->49 file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01402a21670aff5459a82853d36167e0226dec7fac8f1ccc5cb94ac2fe421957/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 14:07:18 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
19 of 40 (47.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=afacuilhbl7viwnifbj5gylh4arg33d7vshrztc4xffmf7scdflq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00
GuLoader
37c86f121c6f2444ba270e021f0fe141de6dac7cba6267e9a873f72eabb6bbff
GuLoader
43efe491955b4d4d340b18b7de78784276f048d8d5b99f9fff0284d563226286
GuLoader
4ddc7dadc052cd25fdb4171c0ba585cf63bcfc648654bb7da2e2b69ec920a781
GuLoader
65e331380851f9aced88e0aa9e78e70d04131fa073c5278f6e7fbeb0dff82267
GuLoader
6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
GuLoader
79f0258fb0f3f2379e0a0320a754686cbc9e4627240f03663276b6b724952fb9
GuLoader
7db5e626c33513029a8c994e929219469a2d4f36bbd9557299d4b8bec1673fc1
GuLoader
913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
GuLoader
a1853750e48152050b5f04f08ba261a37c49fd039435ac4c2683328febd4fa92
GuLoader
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221028-wxlgqaadbn/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ebdef250-330d-4d1f-b5cb-e86fd52893c8
Unpacked files
SH256 hash:
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
MD5 hash:
960a5c48e25cf2bca332e74e11d825c9
SHA1 hash:
da35c6816ace5daf4c6c1d57b93b09a82ecdc876
Link:
https://www.unpac.me/results/4b22be08-576a-4836-a6fc-ab980241c03c/
SH256 hash:
01402a21670aff5459a82853d36167e0226dec7fac8f1ccc5cb94ac2fe421957
MD5 hash:
894fecff0debb35017b846b249e30bf3
SHA1 hash:
b882201e88e5caa040165c17a7f8bb92e2a42ac1
Link:
https://www.unpac.me/results/4b22be08-576a-4836-a6fc-ab980241c03c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/01402a21670aff5459a82853d36167e0226dec7fac8f1ccc5cb94ac2fe421957

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 01402a21670aff5459a82853d36167e0226dec7fac8f1ccc5cb94ac2fe421957

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/325608/

Comments