MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 037afb04ecb79c472588e6f1b3571abb8903af2fc86f1a8ca2e2acb63c14335b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 037afb04ecb79c472588e6f1b3571abb8903af2fc86f1a8ca2e2acb63c14335b
SHA3-384 hash: 07d512611ec6a4d1f68f4a3217453db8345db1009b90cab2576b57caa768e86299657100dcde9cad454c25b1f6cde32e
SHA1 hash: 66de55b95e1f19b9c626e35126e9c6dbac8680b0
MD5 hash: 25727be97a9ff477eaf9f5ede2517d4a
humanhash: apart-zulu-eight-bravo
File name:DATASHEET rfq.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:373'440 bytes
First seen:2024-05-02 05:46:28 UTC
Last seen:2024-05-07 06:12:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a4a44a250c4cf4f2d9de2b3fe5d95f (70 x GuLoader, 13 x AgentTesla, 7 x AZORult)
ssdeep 6144:BcQ9zIITdbWCYoZjp2D210jNiIwUv5PGqJe+kmX/SZB3pH2ybSnYOD69Y7Qh:BwCYsjpu210jNnlGqJolIyUYOu9YW
Threatray 962 similar samples on MalwareBazaar
TLSH T1A28412533B8898A3D3264EB038BFC22597337D1649561B4F33897FBE18F13A54A07659
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f069d4e8e8f0d4b0 (1 x GuLoader)
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Joshia
Issuer:Joshia
Algorithm:sha256WithRSAEncryption
Valid from:2024-03-27T05:07:21Z
Valid to:2027-03-27T05:07:21Z
Serial number: 27a6ae079ac339172da62e008edaeaf63ff5e1f2
Thumbprint Algorithm:SHA256
Thumbprint: cba4f1925f5e2cfc047f3e550435c1031eeed6348d0b75bd29ce9dfa14b32e90
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
4
# of downloads :
304
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
037afb04ecb79c472588e6f1b3571abb8903af2fc86f1a8ca2e2acb63c14335b.exe
Verdict:
Malicious activity
Analysis date:
2024-05-02 05:49:17 UTC
Tags:
discord smtp exfiltration stealer agenttesla
Link:
https://app.any.run/tasks/c5a154c9-5288-44ad-882f-437564028f9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file
Delayed reading of the file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/663328d9de9c2e310307dff4/reports/e86a6764-43de-4b53-94e3-0cbbc0a6c070/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/037afb04ecb79c472588e6f1b3571abb8903af2fc86f1a8ca2e2acb63c14335b
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d4994e37-1762-4b60-bcc8-35eb79947fac
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1435132
Signature
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected GuLoader
Yara detected MSILDownloaderGeneric
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/037afb04ecb79c472588e6f1b3571abb8903af2fc86f1a8ca2e2acb63c14335b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/037afb04ecb79c472588e6f1b3571abb8903af2fc86f1a8ca2e2acb63c14335b/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2024-05-02 02:28:45 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=an5pwbhmw6oeojmi43y3gvy2xoeqhlzpzbxrvdfc4kwlmpaugnnq._file
Verdict:
unknown
Similar samples:
0fa80698a35b4c2a50017e5c61ee63df5ee39ff18b1d1c97d9381401ec1c3c5a
GuLoader
2afb072fe81c319cbe4cee6d2c660a16a833b4243c8e5ea0aa041b2b974c3ef5
GuLoader
4246c71f963c26fb5243425abc893778b6ddf6c3dc0a71583eca79866878a828
GuLoader
913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
GuLoader
d4471111f0e92ea1d7760bd2cc6f75ce16bc8245d077edc47d56181f23a96cea
GuLoader
d989ab685c59463a2ae115503881d520032409525de9846d458583e4ad75fc15
GuLoader
ec27e95180289cd7ca8ebfafc4a1ec973448dcda09892716324966ac95ce4a87
GuLoader
+ 952 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240502-ggvywsce43/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads user/profile data of web browsers
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla
Guloader,Cloudeye
Unpacked files
SH256 hash:
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
MD5 hash:
6f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1 hash:
b6ac111dfb0d1fc75ad09c56bde7830232395785
Link:
https://www.unpac.me/results/eb8c3811-28cc-4432-b976-183fff797591/
SH256 hash:
037afb04ecb79c472588e6f1b3571abb8903af2fc86f1a8ca2e2acb63c14335b
MD5 hash:
25727be97a9ff477eaf9f5ede2517d4a
SHA1 hash:
66de55b95e1f19b9c626e35126e9c6dbac8680b0
Link:
https://www.unpac.me/results/eb8c3811-28cc-4432-b976-183fff797591/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/037afb04ecb7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/037afb04ecb79c472588e6f1b3571abb8903af2fc86f1a8ca2e2acb63c14335b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 037afb04ecb79c472588e6f1b3571abb8903af2fc86f1a8ca2e2acb63c14335b

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileA
KERNEL32.dll::GetWindowsDirectoryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments