MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00
SHA3-384 hash: 406174c4100397419458aa7f2bb8e46f385b8bdbcf8223ed7f1d36bb0da1659258bd8aa0d3ae3431bc4dfa4891500c66
SHA1 hash: afd88db604950fa48f84c962794c34805b4cec97
MD5 hash: 58f6d428bdcea5c81d3486f60cbd4244
humanhash: fruit-oscar-alabama-johnny
File name:Pteranodontidae.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:144'824 bytes
First seen:2022-10-10 06:11:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a4a44a250c4cf4f2d9de2b3fe5d95f (70 x GuLoader, 13 x AgentTesla, 7 x AZORult)
ssdeep 3072:ZDJ0rZo6StCBXJP3WHohwXaNHAUenB8QX4R6Gj5QzhqZCxTAII8nxJ:ZDSoIEdalxt30Gj5QQZCyII8T
Threatray 13 similar samples on MalwareBazaar
TLSH T169E3023756E418A7E9C34A722A72AB3BE7B9F600092441874711DB782F327D7EA170D6
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-17T03:36:43Z
Valid to:2025-08-16T03:36:43Z
Serial number: 7bff14ef02a414b9
Thumbprint Algorithm:SHA256
Thumbprint: 38e7a267cf2da01b783398b7a5df1c4b8598247e2cda5b968e092ce39d8d5ec9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318148/
Detection(s):
SecuriteInfo.com.Adware.Agent.OKV.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6343b7ba1ddf36bcc3f42e78/reports/cf77f331-53fb-43fd-95b1-d97d4f95f01e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c5537546-8b4c-431e-8cda-7a7406fa2e93
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1087625
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 19:33:19 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=czuqr4fzqzwyjrfaqkfu2zskusyqjhkah27ja6mmvjhu3e5snyaa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
32734437ca16d5bf5babbbe8dfe93dfdc953418dcd53cde0b7fe55b6c69fc3b4
GuLoader
55193fc2ef8da805e9c4d8cb73eeb0647c1bac3bb3f2ec3d7e692c7e92957e2b
GuLoader
6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
GuLoader
7008badd4657d999591cf125d279dfab990d98023c79639d295eedc724e99a8f
GuLoader
83518c2b2a13ca64460e8afe178e55fc4f18822c906e5aabe1b33ee0285bb252
GuLoader
913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
GuLoader
ba99bed9890c619411129e8902aaaf4f65a68c77735a577f8a85428e4f4167e5
GuLoader
cee7147196a22b811bb317672f544d43d52140d6da8d2843550f8bdd05c08215
GuLoader
+ 3 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/221010-gx614aagd3/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2e62462b-d40f-4dc0-ba90-6d0ffca5d5af
Unpacked files
SH256 hash:
8a0c447f38d4447d7e35d31aefafbaa66a8074699e41d5bfff8757586ba6079b
MD5 hash:
6d16df21986d5f5990f98cee156f1a5d
SHA1 hash:
a31e16f41ce62ec1cc3fb3fa6fe93740d9952ac8
Link:
https://www.unpac.me/results/d68d1d00-5269-4b15-88ee-37dbc78f0e70/
SH256 hash:
166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00
MD5 hash:
58f6d428bdcea5c81d3486f60cbd4244
SHA1 hash:
afd88db604950fa48f84c962794c34805b4cec97
Link:
https://www.unpac.me/results/d68d1d00-5269-4b15-88ee-37dbc78f0e70/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/318148/

Comments