MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 140cd16c7087789b1bff95f27ef03eef85e37e34362f6676a8eaff268b7c693a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 140cd16c7087789b1bff95f27ef03eef85e37e34362f6676a8eaff268b7c693a
SHA3-384 hash: 660506c807a9d9c49685ba41a4262328ec9953530c6f0bc362f3a64ee7073c4d4d865e1e34ee9db148e2927d3a191031
SHA1 hash: 7f138da24c764f6d37b2d690df32481ba686d448
MD5 hash: 175656747a014cd0405388c8796f769d
humanhash: pluto-tennis-charlie-enemy
File name:GTE 7000345678.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:572'896 bytes
First seen:2023-12-04 09:12:25 UTC
Last seen:2023-12-04 11:22:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93dfc16ed07ebeb5b405221f10d12c0e (30 x GuLoader, 4 x RemcosRAT, 1 x AgentTesla)
ssdeep 12288:aS2dfQBQfYfliYNF95lWq5SoASsA6sB20XCI9:B2dfWXflnTjlWrU6420XT9
TLSH T10AC4F103BB4CC59ED9722B705573EA8A57F0BDF514BA06167E69396F88773804A3AF00
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6ad3dbc9e394c478 (3 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Otidine
Issuer:Otidine
Algorithm:sha256WithRSAEncryption
Valid from:2023-06-25T03:00:00Z
Valid to:2026-06-24T03:00:00Z
Serial number: 2f4f86f868a4cdc68bdcb441615575c5b56d404b
Thumbprint Algorithm:SHA256
Thumbprint: e1e5fb7c5747d7997444e64186ff3d5d15527426acd0ff8e70102b4761225591
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
313
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462290/
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1357304.9177.14303.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Searching for the window
Searching for the Windows task manager window
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/656d98202efa450749b864b0/reports/06e833e3-55c7-403b-a685-d502150aec2d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/140cd16c7087789b1bff95f27ef03eef85e37e34362f6676a8eaff268b7c693a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bbfb917b-a023-4592-a275-3361eb5e9e62
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353001
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1353001 Sample: GTE_7000345678.exe Startdate: 04/12/2023 Architecture: WINDOWS Score: 100 33 mail.etasimali.com 2->33 35 etasimali.com 2->35 37 2 other IPs or domains 2->37 49 Found malware configuration 2->49 51 Antivirus detection for URL or domain 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 5 other signatures 2->55 9 GTE_7000345678.exe 38 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\...\Offerceremonis.Bra, data 9->25 dropped 27 C:\Users\user\AppData\...\Dokumentarierne.Bic, ASCII 9->27 dropped 29 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->29 dropped 31 2 other files (none is malicious) 9->31 dropped 65 Suspicious powershell command line found 9->65 13 powershell.exe 12 9->13         started        signatures6 process7 signatures8 67 Suspicious powershell command line found 13->67 69 Very long command line found 13->69 71 Found suspicious powershell code related to unpacking or dynamic code loading 13->71 16 powershell.exe 15 13->16         started        19 conhost.exe 13->19         started        process9 signatures10 45 Writes to foreign memory regions 16->45 47 Maps a DLL or memory area into another process 16->47 21 MSBuild.exe 15 8 16->21         started        process11 dnsIp12 39 etasimali.com 146.88.237.40, 49718, 49719, 587 PLANETHOSTER-8CA France 21->39 41 api4.ipify.org 104.237.62.212, 443, 49717 WEBNXUS United States 21->41 43 185.255.114.18, 49716, 80 DEDIPATH-LLCUS Germany 21->43 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->57 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->59 61 Tries to steal Mail credentials (via file / registry access) 21->61 63 2 other signatures 21->63 signatures13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/140cd16c7087789b1bff95f27ef03eef85e37e34362f6676a8eaff268b7c693a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/140cd16c7087789b1bff95f27ef03eef85e37e34362f6676a8eaff268b7c693a/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-04 08:30:54 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
15 of 22 (68.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqgnc3dqq54jwg77sxzh54b656c6g7rugyxwm5vi5l7snc34ne5a._file
Verdict:
unknown
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231204-k6q8saab69/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
AgentTesla
Guloader,Cloudeye
Unpacked files
SH256 hash:
e18005b81ab18ca5afcab9b6a47d0f024535b66d1f02dc2c5e2c7f28faa21516
MD5 hash:
d3d76d8a516ceb45b8d354544c7fdec4
SHA1 hash:
0a39185c2292d3124f5139717ca9d00cd5a046b3
Link:
https://www.unpac.me/results/77a362fa-5219-43bb-ae69-855fbb4711c6/
SH256 hash:
14ebfa0711b48ec748b6e4985db4b99a827996ae44b28122d16f14d0d0f51bb6
MD5 hash:
84bcbefa5fe3d82647a15f135f22fb2a
SHA1 hash:
7c23a0c1a8b185f5af456dafa63a3c1207d8c1dc
Link:
https://www.unpac.me/results/77a362fa-5219-43bb-ae69-855fbb4711c6/
SH256 hash:
99c7654e291227686ffd9414bf77dc6c62d2b712f10348fd8a0697cd4940ef75
MD5 hash:
78e5813c5712f365d29f17e4f2aba6bb
SHA1 hash:
77fdf437a119d6cb6bd9b47b6073932aa419c928
Link:
https://www.unpac.me/results/77a362fa-5219-43bb-ae69-855fbb4711c6/
SH256 hash:
cd962e37d655e66c81ba14a184b5959b85b80d0929725119ccd226f5ffb622a2
MD5 hash:
d7e3e8edfd38663f63e5440460ec4c0f
SHA1 hash:
1f347bf304982256102fcaaea32a52fccdc59caf
Link:
https://www.unpac.me/results/77a362fa-5219-43bb-ae69-855fbb4711c6/
SH256 hash:
140cd16c7087789b1bff95f27ef03eef85e37e34362f6676a8eaff268b7c693a
MD5 hash:
175656747a014cd0405388c8796f769d
SHA1 hash:
7f138da24c764f6d37b2d690df32481ba686d448
Link:
https://www.unpac.me/results/77a362fa-5219-43bb-ae69-855fbb4711c6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/140cd16c7087/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/140cd16c7087789b1bff95f27ef03eef85e37e34362f6676a8eaff268b7c693a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 140cd16c7087789b1bff95f27ef03eef85e37e34362f6676a8eaff268b7c693a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/462290/

Comments