MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 233640b77bcb1840df2bfa81425197bba0cf97bec7eda35a2c46b314840faa8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 233640b77bcb1840df2bfa81425197bba0cf97bec7eda35a2c46b314840faa8d
SHA3-384 hash: a5c76a5e4a871706db2f2c228466b1db9e8feceffe1a882723265595720360f9cd288bbb1ef6155355aaa7d9ab07fcc5
SHA1 hash: 5935496311ca99c83ea08bdf6294997163502e70
MD5 hash: 31fca943db091aa420cc11194740190f
humanhash: artist-pizza-muppet-idaho
File name:INVO-0987654345678.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:351'696 bytes
First seen:2022-09-28 06:36:54 UTC
Last seen:2022-09-28 08:12:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d4b94e8ee3f620a89d114b9da4b31873 (90 x GuLoader, 18 x njrat, 9 x RemcosRAT)
ssdeep 3072:q1T//IHWyWJADJuLxh0VqBoU3LAzPbbUAR2YOTJdJtuyKFQNNCg7XneldEsznxg:8//I2y34WVqB0DLrOTbuyKSCAneld7m
Threatray 864 similar samples on MalwareBazaar
TLSH T14D749DD2F12085EDED6A173264274C920D932CBDE6B5D15C71F972223BF72A3402E96B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 068f0b2a2b363f06 (19 x SnakeKeylogger, 8 x AgentTesla, 8 x MassLogger)
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-13T07:02:03Z
Valid to:2025-08-12T07:02:03Z
Serial number: -6d78a54dbdd267ee
Thumbprint Algorithm:SHA256
Thumbprint: 0eb210d46ce7dcaefb00daf2108ccdfce123447eac4f73aedfe0ac0395dfcc50
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314228/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.11230.12864.29892.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39655/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6333eb9049c58ce767c3e856/reports/355ef5b1-6c60-45da-8e61-adf43f91b35b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ea55361b-2b08-48f1-8063-ffe1dbdd559d
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078953
Signature
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/233640b77bcb1840df2bfa81425197bba0cf97bec7eda35a2c46b314840faa8d/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2022-09-27 13:01:04 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
18 of 40 (45.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=em3ebn33zmmebxzl7kaueumxxoqm7f56y7w2gwrmi2zrjbapvkgq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
275db34b1b3d894ed18fba50f477ca897bb3656682c7d0ef2941bd7c696e9f80
GuLoader
595f2ae803f01eba157b6deff4687380346e15609e43cc05b541b527bb7292eb
GuLoader
7132f9426f3bbadaedd15c39968640ffc5ad207b3c8f450d642174e2942f09d7
GuLoader
7d99aa5b81da99461aa61d5542cabce7bc5ffedc56cd1c1d9d6e58e242b38802
GuLoader
a18ab93f8c9268841b6cd59842a935651d9267fa2b8f72b2196cf68f7b57df9d
GuLoader
a9acac2bc60cd65b24257dcd59cba1f79a5d8ebe6b68cffef12968038acd2675
GuLoader
e5653285dfebc9a95f3a866693752e3f0e62ae312aaf054249067e22cf5836a5
GuLoader
e5bfe8964d886c8ab3506dd2eb0fef5e7d01393a4dde09c731622650f8fa5dc1
GuLoader
f46d8267eb7fe636d2c5183100bc97e4a93b3a21c5d15661a3dc49ae891f621d
GuLoader
+ 854 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220928-hdggrsgcgl/
Behaviour
Enumerates physical storage devices
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/879b1c48-1a77-48b7-9781-9c96e697b0dc
Unpacked files
SH256 hash:
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
MD5 hash:
ee260c45e97b62a5e42f17460d406068
SHA1 hash:
df35f6300a03c4d3d3bd69752574426296b78695
Link:
https://www.unpac.me/results/efb54793-79f7-40d7-b743-c97c55c233f2/
SH256 hash:
233640b77bcb1840df2bfa81425197bba0cf97bec7eda35a2c46b314840faa8d
MD5 hash:
31fca943db091aa420cc11194740190f
SHA1 hash:
5935496311ca99c83ea08bdf6294997163502e70
Link:
https://www.unpac.me/results/efb54793-79f7-40d7-b743-c97c55c233f2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/233640b77bcb1840df2bfa81425197bba0cf97bec7eda35a2c46b314840faa8d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 233640b77bcb1840df2bfa81425197bba0cf97bec7eda35a2c46b314840faa8d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/314228/

Comments