MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02562a3a5be85b9ed5b6022e1e50ab3e8ded7bfe9007512fa03e8a21779078d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02562a3a5be85b9ed5b6022e1e50ab3e8ded7bfe9007512fa03e8a21779078d3
SHA3-384 hash: eeff573de16aa804fba74a3cd2a7c09d1e23beeee3d368cabd0aabc15cbe10314a656b0df68ef0ad7028511f4893e87b
SHA1 hash: a9f1623a24ac35e3d739df064db917ca42750d16
MD5 hash: c13d6628fbf5433e847407af849e1e77
humanhash: delta-mountain-aspen-lima
File name:c13d6628fbf5433e847407af849e1e77.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:497'864 bytes
First seen:2022-12-16 08:06:56 UTC
Last seen:2022-12-16 09:33:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e221f4f7d36469d53810a4b5f9fc8966 (118 x GuLoader, 28 x RemcosRAT, 21 x Formbook)
ssdeep 12288:ztoAXsmMsGFWGgTiwKhcQeuIbv/FeWUPa:q1mMsGF5oiVEh
Threatray 43 similar samples on MalwareBazaar
TLSH T1BBB412D67A92E0E7F54A49B10D27FC766A36FC192C60471B7201BBAFED32241842774B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9869e0f8d0f0f870 (4 x GuLoader, 2 x Loki)
Reporter abuse_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Myelomatoid
Issuer:Myelomatoid
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-24T14:46:55Z
Valid to:2025-11-23T14:46:55Z
Serial number: -688eec636ebf4696
Thumbprint Algorithm:SHA256
Thumbprint: 202cd842c5005c4be5338d667d4eedb36ebd9b4a0282a49b8f8be38b0560398c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
AWBTwo shipment combined=NEW AIR--SJOINT+CMZ for CPKM, ex PVGSRG, QTY8ROLLS64KG0.14CBM.doc
Verdict:
Malicious activity
Analysis date:
2022-12-15 15:21:00 UTC
Tags:
exploit cve-2017-11882 loader guloader
Link:
https://app.any.run/tasks/ce859a1c-1dcd-48fc-84e2-3611ff915001

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/346920/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.15474.29647.22637.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file
Delayed reading of the file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/639c27417c9bf40b178de920/reports/b16e33fd-8d3d-4655-a2eb-952231ae9918/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9652b707-5c84-4c11-b549-e7e33bd22cef
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1135559
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02562a3a5be85b9ed5b6022e1e50ab3e8ded7bfe9007512fa03e8a21779078d3/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-12-15 16:09:22 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ajlcuos35bnz5vnwaixb4uflh2g62676sadvcl5ah2fcc54qpdjq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
32734437ca16d5bf5babbbe8dfe93dfdc953418dcd53cde0b7fe55b6c69fc3b4
GuLoader
83cf1834c1ebc4ab37dcf0734120efadb2ca3354e28c0887aa2188f03de39a15
GuLoader
89ed1483ade890ada1d088ca1c76a378ed83043fe2dfc877b69788a5857b375c
GuLoader
913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
GuLoader
ba99bed9890c619411129e8902aaaf4f65a68c77735a577f8a85428e4f4167e5
GuLoader
cee7147196a22b811bb317672f544d43d52140d6da8d2843550f8bdd05c08215
GuLoader
d46d42ee9797144da35c4b0eaf6599c8c9d5edc24afe88ac098bcda6cc20d1cb
GuLoader
ed384b7f5efea452a5c23b8c68dc7ed07178b4f6f4162b04448118ee2b5ef684
GuLoader
+ 33 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/221216-jzzqxahb7z/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e6f7a550-c89a-4d89-a733-61c820342bae
Unpacked files
SH256 hash:
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
MD5 hash:
ca332bb753b0775d5e806e236ddcec55
SHA1 hash:
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
Link:
https://www.unpac.me/results/e7694fda-369b-464e-8724-cf91563e59a5/
SH256 hash:
02562a3a5be85b9ed5b6022e1e50ab3e8ded7bfe9007512fa03e8a21779078d3
MD5 hash:
c13d6628fbf5433e847407af849e1e77
SHA1 hash:
a9f1623a24ac35e3d739df064db917ca42750d16
Link:
https://www.unpac.me/results/e7694fda-369b-464e-8724-cf91563e59a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/02562a3a5be85b9ed5b6022e1e50ab3e8ded7bfe9007512fa03e8a21779078d3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 02562a3a5be85b9ed5b6022e1e50ab3e8ded7bfe9007512fa03e8a21779078d3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2350853/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/346920/

Comments