MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14d4d83349b6f4da3a7041b2b37449a45febf07849eb4b622024ffbd9b3e477d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	14d4d83349b6f4da3a7041b2b37449a45febf07849eb4b622024ffbd9b3e477d
SHA3-384 hash:	a15c2fc89a3718fef7eef7980074b976807611a1faeef5fd62892271039d99fff5c27b3a4b1361d4eff2e7bbacfb01d9
SHA1 hash:	2118e936c0f65245a7bd4713caf4dfb1bdff58e8
MD5 hash:	cf834361e7391f7fc59494143e36b629
humanhash:	wyoming-moon-quiet-tango
File name:	Order 811-52406 C&A - AW23.exe
Download:	download sample
Signature	GuLoader Alert Create hunting rule
File size:	683'909 bytes
First seen:	2023-11-27 11:08:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1f23f452093b5c1ff091a2f9fb4fa3e9 (274 x GuLoader, 36 x RemcosRAT, 23 x AgentTesla)
ssdeep	12288:b+8XG5SFEyclCv8epRr5tj+AbcAHbRp/1ylGnu1o+t:b+8BFslS8epRrrj+XAHrMsnYft
Threatray	2'528 similar samples on MalwareBazaar
TLSH	T101E41217F610BA63FF200631686ACEB75F64B5183A9C564673F7F26F2839721C608369
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	bcf6f4767636347c (11 x GuLoader, 5 x AZORult, 2 x AgentTesla)
Reporter	abuse_ch
Tags:	exe GuLoader

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

316

Origin country :

NL

Vendor Threat Intelligence

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/460644/

ClamAV Detected

Detection(s):

SecuriteInfo.com.FileRepMalware.14388.29033.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a file

Delayed reading of the file

Sending a custom TCP request

Dragonfly

Gathering data

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

control installer lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/656478dc2efa450749a8f91b/reports/e06c3186-512c-4cdd-b985-ab9a2c8683a2/overview

Hybrid Analysis Malware

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/14d4d83349b6f4da3a7041b2b37449a45febf07849eb4b622024ffbd9b3e477d

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e4871c29-b42c-4706-82c1-e3864a5b249c

Joe Sandbox GuLoader

Result

Threat name:

GuLoader

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad.spyw

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1348477

Signature

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

81%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/14d4d83349b6f4da3a7041b2b37449a45febf07849eb4b622024ffbd9b3e477d

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/14d4d83349b6f4da3a7041b2b37449a45febf07849eb4b622024ffbd9b3e477d/

ReversingLabs TitaniumCloud Win32.Trojan.Generic

Threat name:

Win32.Trojan.Generic

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-11-27 06:26:06 UTC

File Type:

PE (Exe)

Extracted files:

7

AV detection:

15 of 36 (41.67%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ctknqm2jw32nuotqigzlg5cjurp6x4dyjhvuwyraet733gz6i56q._file

Threatray agenttesla_v4 cloudeye

Verdict:

malicious

Label(s):

agenttesla_v4

Alert

Create hunting rule

cloudeye

Alert

Create hunting rule

Similar samples:

31fb4819331aedf0f62d1d5175cd5bd91d024f382ae7031816b5fe89e170ddd1

GuLoader

6af6f1e03bf8c177c98b8fe74b5dd447c19d8e8534f4a901935df29242a04dbe

GuLoader

7d7b62e77cbef24e0b75ea88d79b68a84e2fccdd74dac22de7c18476ce8313ce

GuLoader

7e512bb8c1dade78162ab6116b93dd3db2cbf91dddf09d05955fa5fdcdbd7113

GuLoader

c85d22efc496f0a219b604a451155446480f45d7e61c56fadedbf41688bede62

GuLoader

f0b55c8e1cc3fdb6e83a7dd6fe35da840db08e416294c90bb45f04b32b42f4f9

GuLoader

+ 2'518 additional samples on MalwareBazaar

Hatching Triage guloader

Result

Malware family:

guloader

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla family:guloader downloader keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231127-m86scsgb7s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Looks up external IP address via web service

Loads dropped DLL

AgentTesla

Guloader,Cloudeye

UnpacMe 3

Unpacked files

SH256 hash:

1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

MD5 hash:

466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1 hash:

eb607467009074278e4bd50c7eab400e95ae48f7

Link:

https://www.unpac.me/results/2ac526c2-dd7d-4874-8856-21148d56ec77/

SH256 hash:

3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

MD5 hash:

0d7ad4f45dc6f5aa87f606d0331c6901

SHA1 hash:

48df0911f0484cbe2a8cdd5362140b63c41ee457

Link:

https://www.unpac.me/results/2ac526c2-dd7d-4874-8856-21148d56ec77/

SH256 hash:

14d4d83349b6f4da3a7041b2b37449a45febf07849eb4b622024ffbd9b3e477d

MD5 hash:

cf834361e7391f7fc59494143e36b629

SHA1 hash:

2118e936c0f65245a7bd4713caf4dfb1bdff58e8

Link:

https://www.unpac.me/results/2ac526c2-dd7d-4874-8856-21148d56ec77/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/14d4d83349b6f4da3a7041b2b37449a45febf07849eb4b622024ffbd9b3e477d

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

exe 14d4d83349b6f4da3a7041b2b37449a45febf07849eb4b622024ffbd9b3e477d

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/460644/