MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19e5b14651f7ad050e2b9dc95e5bb7574a8fdde378bfbc7101ee7e2276c23d62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	19e5b14651f7ad050e2b9dc95e5bb7574a8fdde378bfbc7101ee7e2276c23d62
SHA3-384 hash:	d5c7f00c63f68ef05686103154709bf2542b31bd1f7d060bfd6149fc7a930209fa7827247b2e1c9d7df57962966137cf
SHA1 hash:	7244b500832b2ed4d01306e2c6406e51e8fedebd
MD5 hash:	ebbb994d553f934b7b1dc05351bd64f6
humanhash:	angel-mountain-washington-hamper
File name:	potwierdzenie wplaty.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	255'552 bytes
First seen:	2022-05-09 12:31:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	6144:x3yzt4lmkDDtNo+JfRdPHhc21c9Gr9gUDm3vxNT8:x3HFf/L55HO2KGBlDgc
Threatray	1'544 similar samples on MalwareBazaar
TLSH	T1A344E01D3615C0D6F88943716B36DB071A9FB843268215173BB1BAB89B353D3DA1FAC8
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8883b69d19c6c3c0 (38 x GuLoader, 6 x RemcosRAT, 6 x VIPKeylogger)
Reporter	Anonymous
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Iliocostalis5 SKYBANKES Kontoudskrifternes
Issuer:	Iliocostalis5 SKYBANKES Kontoudskrifternes
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-05-09T09:10:15Z
Valid to:	2023-05-09T09:10:15Z
Serial number:	-1d2002cbbf8193ee
Thumbprint Algorithm:	SHA256
Thumbprint:	59a37e44f60c6007526d7454eabbb7b94bb760e5198e0b65fd9b799755913756
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

potwierdzenie wplaty.exe

Verdict:

Malicious activity

Analysis date:

2022-05-09 12:33:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/38a11874-b316-46b0-a245-452a3ec4a9ca

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Dropper.Nanocore-9947074-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Creating a file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/16782/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe nanocore overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6279098db119a5f609b3bfb3/reports/a1274ef7-31c5-4dc7-b1a7-8ade4412a1d3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b81a808f-a48c-42e2-8684-10491c085838

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/990154

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/19e5b14651f7ad050e2b9dc95e5bb7574a8fdde378bfbc7101ee7e2276c23d62/

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2022-05-09 12:32:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 26 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dhs3crsr66wqkdrltxev4w5xk5fi7xpdpc73y4ib5z7ce5wchvra._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

09b3b8a4933696acf7585e19d17045af88d17aba682eb437291a2ccdd5e76ba3

GuLoader

1298d5b931dadd03d47b41c51556fb5707a6af6df9b4b483686fdbf155d083fd

GuLoader

2e93c7a4fbfb9407abd40c065b13cd3a4438483f008a06f2c692fc41b2d6dfee

GuLoader

3944b429bf931ab06a980d4d15dfd69b5ea442c68938e0aee354e6c25311f94f

GuLoader

75f352e00f106877b2e7197ab6b6be0234aba379dec517009a7e26bfef612921

GuLoader

bf4737d1003544ac9fa65fd5b2bc42114baa9691b968f7905d70f8b2c82a9672

GuLoader

c5cbf9085eac3f9c2b9cbbf939c90f00d041f0f598b7762af7b371fe3cb61def

GuLoader

+ 1'534 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/220509-pp3ygadba5/

Behaviour

Enumerates physical storage devices

Loads dropped DLL

Guloader,Cloudeye

Unpacked files

SH256 hash:

a52215a026e00aaf3ff12feab87993ee058acd6b7571ab8797cf12e3e5ee97b9

MD5 hash:

4eadd362c916f3793ff941454e0e093b

SHA1 hash:

66e013494700ec21cc511e77d1b1b2c5a12dcab2

Link:

https://www.unpac.me/results/07ee1be5-b15b-4948-a512-885cf3c2ccf5/

SH256 hash:

19e5b14651f7ad050e2b9dc95e5bb7574a8fdde378bfbc7101ee7e2276c23d62

MD5 hash:

ebbb994d553f934b7b1dc05351bd64f6

SHA1 hash:

7244b500832b2ed4d01306e2c6406e51e8fedebd

Link:

https://www.unpac.me/results/07ee1be5-b15b-4948-a512-885cf3c2ccf5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.93

Link:

https://yomi.yoroi.company/submissions/19e5b14651f7ad050e2b9dc95e5bb7574a8fdde378bfbc7101ee7e2276c23d62

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample