MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d03f988e19d2663762d9eda11bce6fc85dedc4bfd488301bd1d76c1a1429ad2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	1d03f988e19d2663762d9eda11bce6fc85dedc4bfd488301bd1d76c1a1429ad2
SHA3-384 hash:	d3a34f3486331de40e6147e610cbe2bd94db149374bca58054213b17e2911f8c7d7f5cee9a1f463483089490f85ce93b
SHA1 hash:	dbf667211802d057ec5893490cd534dffcf0ce57
MD5 hash:	633bf2532aae9a46171fc65ff6c50f22
humanhash:	green-oscar-xray-romeo
File name:	STATEMENT OF ACCOUNTS - SEPTEMBER 2022.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	524'640 bytes
First seen:	2022-10-12 13:01:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep	12288:oSv6ymBW6V/EDp72+AfiCfDAMTVnldDPp0vCphiFA:FvaBJdg72fiCrAAVnPDPp06LiFA
Threatray	14'799 similar samples on MalwareBazaar
TLSH	T192B4E1807A82E85EE5994B32C441EE74E7714C391B518CD3E6A47FAF3B372523B9601B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8c8c9cb6b6366247 (5 x GuLoader)
Reporter	malwarelabnet
Tags:	AgentTesla exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-10-31T09:28:14Z
Valid to:	2024-10-30T09:28:14Z
Serial number:	79c3fad37ea2402b
Thumbprint Algorithm:	SHA256
Thumbprint:	40c2dfb6c662ad18892efbc4c384e3843f0ea9dfc322f0c026946f14502cd9bc
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

459

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/319363/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.UGA.20041.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Creating a window

Searching for the window

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/42673/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

buer overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6346bace316b332dfca8e333/reports/40493e2f-c03a-475c-9baf-7c0ea31b07be/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d979429c-9cb1-4c29-8829-1254632c9295

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1088798

Signature

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d03f988e19d2663762d9eda11bce6fc85dedc4bfd488301bd1d76c1a1429ad2/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2022-10-12 00:31:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dub7tchbtutgg5rnt3nbdphg7sc55xcl7veigan5dv3mdikctlja._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

23f6c24a5984c1bc1450f2d6eb32f3ece4e52bc275b4e9eea038db9f7f4f7717

GuLoader

4c5c4d61cf21e2f139dd12706f1996928a2f420d2161b6402564fe640bd94f4f

GuLoader

7dd92e873c628b396cdddf9fa1d616102db4381b29c6f3b3c6306d0899c5589f

GuLoader

939128fc3b36897c4e269b77c910f6ffbb9aafd7a33a97ba4394f949d16deb97

GuLoader

ac3492d6010c7164033f3460ab9ec0585a077cfdf97ec96f696bda4cd5ebae56

GuLoader

cfce7c3aadb84c16c0f356b6212ceb709f18cae0b4d798fbf5029a7241a8b2d1

GuLoader

ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a

GuLoader

+ 14'789 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:agenttesla family:guloader collection discovery downloader keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221012-p9sm8sded7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks installed software on the system

Checks QEMU agent file

Loads dropped DLL

AgentTesla payload

AgentTesla

Guloader,Cloudeye

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/343b43cc-4536-4dfa-99b0-48619887e21d

Unpacked files

SH256 hash:

ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

MD5 hash:

0063d48afe5a0cdc02833145667b6641

SHA1 hash:

e7eb614805d183ecb1127c62decb1a6be1b4f7a8

Link:

https://www.unpac.me/results/2acca0cd-60cd-4fb3-8b12-1e4bfd77ead8/

Parent samples :

5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
e0fb60da371912c158861c9660632d58e45cfcff12351cc9e03f497f319eb5de
904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a

SH256 hash:

1d03f988e19d2663762d9eda11bce6fc85dedc4bfd488301bd1d76c1a1429ad2

MD5 hash:

633bf2532aae9a46171fc65ff6c50f22

SHA1 hash:

dbf667211802d057ec5893490cd534dffcf0ce57

Link:

https://www.unpac.me/results/2acca0cd-60cd-4fb3-8b12-1e4bfd77ead8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1d03f988e19d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/1d03f988e19d2663762d9eda11bce6fc85dedc4bfd488301bd1d76c1a1429ad2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/319363/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample