MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 170c975fcc5fe2d88efb48c73907908fbcbd157f77e665ddfad95025ada0a7ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	170c975fcc5fe2d88efb48c73907908fbcbd157f77e665ddfad95025ada0a7ed
SHA3-384 hash:	b4e36d2c738652d643e60fa651eff55e250d3170a497f3d83c3d8db67e7d2919009a5f880464f6c793c6b259d702e682
SHA1 hash:	7325639f39d63f089575f6f162d265cebf946c69
MD5 hash:	e8a765f37744ce185af2010805b672ce
humanhash:	lion-tennessee-fanta-bakerloo
File name:	SecuriteInfo.com.Variant.Tedy.166869.23894.14317
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	1'716'176 bytes
First seen:	2022-07-14 18:33:44 UTC
Last seen:	2022-07-14 21:58:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f10e4da994053bf80c20cee985b32e29 (65 x GuLoader, 9 x RemcosRAT, 6 x QuasarRAT)
ssdeep	24576:ptTaR+7L01plGWE3+wH+o0tZDfGPbaK2uvjG4Hmwpc6zU3qVuD4:CALgpMz0DfGPb6kjG4XAaVg4
TLSH	T1948533213770E061DDA65770ACB9CE3BA713BC7A1CE1064BBCFA7A6EF4725414016C99
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	29595ad839a9d4d4 (1 x GuLoader)
Reporter	SecuriteInfoCom
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Siksakkurser1 CURSEDER Labbella Utrnede Throwster7
Issuer:	Siksakkurser1 CURSEDER Labbella Utrnede Throwster7
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-07-14T05:13:30Z
Valid to:	2023-07-14T05:13:30Z
Serial number:	-23a2fb563128d389
Thumbprint Algorithm:	SHA256
Thumbprint:	3e6cde3eaee507361b008985703f58339db36f4b3a12bf490d378fb969083e24
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

295

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Tedy.166869.23894.14317

Verdict:

Malicious activity

Analysis date:

2022-07-14 20:58:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c2577a1c-4580-4f07-865e-5ad778c21444

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/289155/

Detection(s):

SecuriteInfo.com.Variant.Tedy.166869.23894.14317.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

buer overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/62d061da8dab2096b99a771a/reports/f97197e2-9434-49f8-988e-4689fd1b0f6e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a5ee1db6-dfa0-45f1-b4de-9c01f0f7c1b6

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

evad.troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1031727

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/170c975fcc5fe2d88efb48c73907908fbcbd157f77e665ddfad95025ada0a7ed/

Threat name:

Win32.Trojan.Shelsy

Status:

Malicious

First seen:

2022-07-14 14:58:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c4gjox6ml7rnrdx3jddtsb4qr66l2fl7o7tglxp23ficllnau7wq._file

Verdict:

malicious

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/220714-w7q5ysacck/

Behaviour

Enumerates physical storage devices

Drops file in Program Files directory

Loads dropped DLL

Guloader,Cloudeye

Unpacked files

SH256 hash:

c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

MD5 hash:

792b6f86e296d3904285b2bf67ccd7e0

SHA1 hash:

966b16f84697552747e0ddd19a4ba8ab5083af31

Link:

https://www.unpac.me/results/3623ba76-3635-4239-9b0a-503e0730d28a/

SH256 hash:

711427242bff919c78fbba2b298b5d5898f75d73f1d7f4c4eb22badf525864a5

MD5 hash:

70ba99745542354a2efcb1c2f167b62b

SHA1 hash:

8b18bc8d3e6e52222baef7ab7ab125436ef5c966

Link:

https://www.unpac.me/results/3623ba76-3635-4239-9b0a-503e0730d28a/

SH256 hash:

170c975fcc5fe2d88efb48c73907908fbcbd157f77e665ddfad95025ada0a7ed

MD5 hash:

e8a765f37744ce185af2010805b672ce

SHA1 hash:

7325639f39d63f089575f6f162d265cebf946c69

Link:

https://www.unpac.me/results/3623ba76-3635-4239-9b0a-503e0730d28a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/170c975fcc5fe2d88efb48c73907908fbcbd157f77e665ddfad95025ada0a7ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/289155/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample