MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e91797d780199345ea85b22c70d351f59e01273c4446b3bfaee788cf0b9c91b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e91797d780199345ea85b22c70d351f59e01273c4446b3bfaee788cf0b9c91b
SHA3-384 hash: fd6cf45d2d7af78beeb38440f340a73e40eb9147251687e8f0d611b0c81da1ccb8b728097bea0342c95a74c2f9236ae8
SHA1 hash: 0da095e639bd156a91099a480249df8936b045a2
MD5 hash: 643dcc26eb4df51ef42a5110f2ad6fb0
humanhash: hotel-kansas-arizona-lithium
File name:Harvest Global Markets.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:349'048 bytes
First seen:2022-02-10 16:27:36 UTC
Last seen:2022-02-10 19:18:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:8bE/HUK5nVZmmzWHc7W/Ia12YeoTjiX1Vvoi652gDf4lDJw58rvGz5bw:8b+5nVZ5zW8S/bpvCX1sSlGKvGtE
Threatray 1'550 similar samples on MalwareBazaar
TLSH T165741202F7609063F5BA1E7009F7FE668BEC94215664CB371B80905C7DB37825E4EB96
File icon (PE):PE icon
dhash icon bb3bf39a9ed9e6b2 (2 x GuLoader, 1 x ZLoader)
Reporter GovCERT_CH
Tags:BITMNSTER exe GuLoader signed

Code Signing Certificate

Organisation:BITMNSTER
Issuer:BITMNSTER
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-10T12:45:20Z
Valid to:2023-02-10T12:45:20Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 27f7137f65304ec231b1be5554a6a809a3357ffaf57a8d0e706a5f2d02c8cf7c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/240675/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.9858.20721.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
DNS request
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62053d16289e2f3e4fbcfed3/reports/0be87146-2f09-4276-974a-2209acef0f33/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/94465a99-07fc-4ea2-88ee-6e4f83fcec89
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.adwa.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937763
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found PHP interpreter
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 570242 Sample: Harvest Global Markets.exe Startdate: 10/02/2022 Architecture: WINDOWS Score: 100 29 api.telegram.org 2->29 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 8 other signatures 2->41 8 Harvest Global Markets.exe 23 2->8         started        signatures3 process4 file5 19 C:\Users\user\AppData\Local\Temp\phpdbg.exe, PE32+ 8->19 dropped 21 C:\Users\user\AppData\Local\...\System.dll, PE32 8->21 dropped 23 C:\Users\user\AppData\Local\...\LangDLL.dll, PE32 8->23 dropped 25 C:\Users\user\AppData\Local\...\libsasl.dll, PE32+ 8->25 dropped 43 Writes to foreign memory regions 8->43 45 Tries to detect Any.run 8->45 47 Hides threads from debuggers 8->47 12 CasPol.exe 15 11 8->12         started        signatures6 process7 dnsIp8 31 45.137.22.111, 49796, 80 ROOTLAYERNETNL Netherlands 12->31 33 api.telegram.org 149.154.167.220, 443, 49808 TELEGRAMRU United Kingdom 12->33 27 C:\Windows\System32\drivers\etc\hosts, ASCII 12->27 dropped 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->51 53 Tries to steal Mail credentials (via file / registry access) 12->53 55 6 other signatures 12->55 17 conhost.exe 12->17         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e91797d780199345ea85b22c70d351f59e01273c4446b3bfaee788cf0b9c91b/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-02-10 14:32:31 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
18 of 42 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2ixs7lyagmtixvilmrmodjvd5m6aettyrcgwo725z4iz4fzzenq._file
Verdict:
unknown
Similar samples:
00caa54a646237cf00f305613cdd9e0e8dd8e4dcd9706bbdfc71e22f6e673683
GuLoader
10f957f6ae25382ddca0fc6fbd364f20d6e4cfa2f49728167bc1504cd3be0c46
GuLoader
4959de8067a62478d5192edb0c7822484ea3f75c643100b4c73b0165eadd8911
GuLoader
4fa28556557b228a0cabb6a51597217e09afdf58a140b1181f0bd8325e6e4d0f
GuLoader
7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
GuLoader
7916f9aeaf36a8fec95e5a5cb7372f509e6597d3b8648a636b425f382e6993f8
GuLoader
c5072b4120ac9daa3dc0e000cce9e6d6e3a1ca01fed779e0b43d877a744409cd
GuLoader
c5c0fbca778f53dc085d84ad3f038e4a20bce7add5f07012594194bc3bca522a
GuLoader
+ 1'540 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/220210-tynblaaebq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/bfd96a63-370a-4341-a528-a907fd823635/
SH256 hash:
1e91797d780199345ea85b22c70d351f59e01273c4446b3bfaee788cf0b9c91b
MD5 hash:
643dcc26eb4df51ef42a5110f2ad6fb0
SHA1 hash:
0da095e639bd156a91099a480249df8936b045a2
Link:
https://www.unpac.me/results/bfd96a63-370a-4341-a528-a907fd823635/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 1e91797d780199345ea85b22c70d351f59e01273c4446b3bfaee788cf0b9c91b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/240675/

Comments