MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24f66a6c13d66769c8310979430a7e99adf15ef77c955f120f7bd3228adc53fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24f66a6c13d66769c8310979430a7e99adf15ef77c955f120f7bd3228adc53fd
SHA3-384 hash: bd3a88a363b986ab21dedf4a0e017becbb42c41b4275011dfa7343ecaeb36c51497d5378ecc5c3e35ca22347a5e7b031
SHA1 hash: dbc452845716ceb9d187b3c843221cded36737dd
MD5 hash: 3c1b174b8bb94dd37bbfa91af86fdae2
humanhash: carbon-coffee-fruit-louisiana
File name:SOA SEP 2022.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:206'288 bytes
First seen:2022-10-31 10:56:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a4a44a250c4cf4f2d9de2b3fe5d95f (70 x GuLoader, 13 x AgentTesla, 7 x AZORult)
ssdeep 6144:/DSoIKtZXh6/WX9h30H5t0Pn4xEgT2o1wxAch:VtG/s9N8B6oSAW
Threatray 23 similar samples on MalwareBazaar
TLSH T1D8140221B3F4A80BD11B49B04DFE8979F7BBA345193257DB63709FB82D31286852E1C6
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-25T06:27:34Z
Valid to:2025-10-24T06:27:34Z
Serial number: 0706c39e57c36755
Thumbprint Algorithm:SHA256
Thumbprint: 9adc696613c19055a3c71a81e5654ef3a4b43f560db79b0f386ae70856bac94d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
423
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA SEP 2022.exe
Verdict:
Malicious activity
Analysis date:
2022-10-31 11:00:45 UTC
Tags:
installer
Link:
https://app.any.run/tasks/4fdb0dad-88d3-4898-863c-0902262bfdae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326364/
Detection(s):
SecuriteInfo.com.Adware.Agent.OKV.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/635faa14a5db8d309cbc03e2/reports/fb615c50-fe9d-47a2-8fea-6f3343ea2a6d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2d5ea575-3a20-420d-a188-476edd8e1606
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1101585
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 734247 Sample: SOA SEP 2022.exe Startdate: 31/10/2022 Architecture: WINDOWS Score: 68 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected GuLoader 2->27 29 Machine Learning detection for sample 2->29 7 SOA SEP 2022.exe 2 33 2->7         started        process3 file4 21 C:\Users\user\AppData\Local\...\System.dll, PE32 7->21 dropped 31 Writes to foreign memory regions 7->31 33 Tries to detect Any.run 7->33 11 CasPol.exe 1 9 7->11         started        15 CasPol.exe 7->15         started        17 CasPol.exe 7->17         started        signatures5 process6 dnsIp7 23 192.227.183.138, 80 AS-COLOCROSSINGUS United States 11->23 35 Tries to detect Any.run 11->35 19 conhost.exe 11->19         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24f66a6c13d66769c8310979430a7e99adf15ef77c955f120f7bd3228adc53fd/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-25 06:50:23 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=et3gu3at2ztwtsbrbf4ugct6tgw7cxxxpskv6eqpppjsfcw4kp6q._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
01402a21670aff5459a82853d36167e0226dec7fac8f1ccc5cb94ac2fe421957
GuLoader
166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00
GuLoader
37c86f121c6f2444ba270e021f0fe141de6dac7cba6267e9a873f72eabb6bbff
GuLoader
43efe491955b4d4d340b18b7de78784276f048d8d5b99f9fff0284d563226286
GuLoader
4ddc7dadc052cd25fdb4171c0ba585cf63bcfc648654bb7da2e2b69ec920a781
GuLoader
6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
GuLoader
7db5e626c33513029a8c994e929219469a2d4f36bbd9557299d4b8bec1673fc1
GuLoader
913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
GuLoader
a1853750e48152050b5f04f08ba261a37c49fd039435ac4c2683328febd4fa92
GuLoader
a68190f559500888abbd58c7b35794837352ac2127fb1dd1553c659eba5015a3
GuLoader
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221031-m19jaaaga6/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
MD5 hash:
960a5c48e25cf2bca332e74e11d825c9
SHA1 hash:
da35c6816ace5daf4c6c1d57b93b09a82ecdc876
Link:
https://www.unpac.me/results/b2ab0556-4e6e-4d02-ae6f-170ef2e810d0/
SH256 hash:
24f66a6c13d66769c8310979430a7e99adf15ef77c955f120f7bd3228adc53fd
MD5 hash:
3c1b174b8bb94dd37bbfa91af86fdae2
SHA1 hash:
dbc452845716ceb9d187b3c843221cded36737dd
Link:
https://www.unpac.me/results/b2ab0556-4e6e-4d02-ae6f-170ef2e810d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/24f66a6c13d66769c8310979430a7e99adf15ef77c955f120f7bd3228adc53fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 24f66a6c13d66769c8310979430a7e99adf15ef77c955f120f7bd3228adc53fd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/326364/

Comments