MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 200f037c6b5ea5be4526e928cd5aa0dbc5d7f6ab48f446cdff0ff07fed2db738. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	200f037c6b5ea5be4526e928cd5aa0dbc5d7f6ab48f446cdff0ff07fed2db738
SHA3-384 hash:	31b795aa9bf312c48620e77a0a773f433d19e3cec2dd91a2a896618670ea6165c5eed4303f6ced6398f98915ca8ab029
SHA1 hash:	bfa01d988b3006b079324209af9e31f88705ce40
MD5 hash:	c00a8265e9692d06f9f985705a863b82
humanhash:	low-foxtrot-leopard-december
File name:	SecuriteInfo.com.generic.ml.16906.24290
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	210'752 bytes
First seen:	2022-08-18 03:28:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b78ecf47c0a3e24a6f4af114e2d1f5de (300 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep	3072:O8bQCLmGlFIdc6yb+W/Vxa/laZWpFVQNfQfu80y40lW2Prb+yKAX:OyIjs7asiP44fRLW2HlKA
Threatray	1'942 similar samples on MalwareBazaar
TLSH	T1D524E0523AE0F0A3CC215A7228B1D5534B3EFD561A015F2737857F2F2CBA3819F062A5
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	70d1d5a8c1bb948c (1 x GuLoader)
Reporter	SecuriteInfoCom
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Requalified soaplike Copulative
Issuer:	Requalified soaplike Copulative
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-10-20T17:12:00Z
Valid to:	2024-10-19T17:12:00Z
Serial number:	-69a0be8b9bcb7e21
Thumbprint Algorithm:	SHA256
Thumbprint:	de33e6f03ed495b7f9e3bc3886716dd57929b47b7cff25b8602e1c1a9421b2e8
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

287

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

guloader

ID:

File name:

SecuriteInfo.com.generic.ml.16906.24290

Verdict:

Malicious activity

Analysis date:

2022-08-18 03:29:49 UTC

Tags:

guloader

Link:

https://app.any.run/tasks/ea3cce03-0d61-4836-9419-1bf44859144b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/299445/

Detection(s):

SecuriteInfo.com.generic.ml.16906.24290.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file

Searching for the window

Creating a file in the %temp% subdirectories

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/29345/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

buer overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/62fdb216a6276e777d297671/reports/7dbd55ac-1cb1-4e00-831e-14e18581fb45/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/13373760-fd7c-440b-bd5c-2067bbbd9292

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1053523

Signature

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/200f037c6b5ea5be4526e928cd5aa0dbc5d7f6ab48f446cdff0ff07fed2db738/

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2022-08-18 03:29:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eahqg7dll2s34rjg5eum2wva3pc5p5vljd2entp7b7yh73jnw44a._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

41810fd3481f8d4ccfb45fddc97fef5ccdff10af555a2c1fa239c541d3fd16a3

GuLoader

4d688c6baec0d972c248f7747f18dc385e67a0fb2b1a5deb70f324b16220780d

GuLoader

519b200245762b9c2fa1e8d1b86dde5a85ed8c2284a4d7751232cbe77fec26e0

GuLoader

599464e9dca4466c9c706242f64124bd1d3fe8b42e5e3fa88791e7a9d01b82dc

GuLoader

791bbf5640c84055581951ad987ddbe8ef4e3e4a32147f4b79f669e575d282de

GuLoader

8da277d229f4f957841a556c88217fb66773203b1382a0673b2895a6a45e65cd

GuLoader

c509b66c0755a4e9e7b7ad209f460f7765b6c06954c9c4f88f051c14cdbc1f6b

GuLoader

f3100e1ff79518aafd23f706e705e0c0639c4d76cb42df14a73268ab78aac4e8

GuLoader

+ 1'932 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/220818-d1w4hsgfek/

Behaviour

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Loads dropped DLL

Guloader,Cloudeye

Unpacked files

SH256 hash:

fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

MD5 hash:

3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1 hash:

fe582246792774c2c9dd15639ffa0aca90d6fd0b

Link:

https://www.unpac.me/results/15b77cfb-4a2c-4d1c-8d17-4556f5d98b9a/

SH256 hash:

200f037c6b5ea5be4526e928cd5aa0dbc5d7f6ab48f446cdff0ff07fed2db738

MD5 hash:

c00a8265e9692d06f9f985705a863b82

SHA1 hash:

bfa01d988b3006b079324209af9e31f88705ce40

Link:

https://www.unpac.me/results/15b77cfb-4a2c-4d1c-8d17-4556f5d98b9a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/200f037c6b5ea5be4526e928cd5aa0dbc5d7f6ab48f446cdff0ff07fed2db738

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/299445/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample