MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a6653ae72f38620dcd1d53caa82bd341b82be633ca1be99ecf372480d972f0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a6653ae72f38620dcd1d53caa82bd341b82be633ca1be99ecf372480d972f0a
SHA3-384 hash: ff99517966897cea1bae5a9acd46774bb8819f87b7264b3e1dbb38215577f6b84b90fe9bdeebe06f342e4e81b18afa01
SHA1 hash: b4262fbbdb496538b9fb6a1d7576f368406916d5
MD5 hash: 33f1ac98f66d9401e29e95fad2aeb4d3
humanhash: music-finch-zebra-nevada
File name:RFQ 10769.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:613'880 bytes
First seen:2023-12-04 09:12:48 UTC
Last seen:2023-12-04 11:21:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93dfc16ed07ebeb5b405221f10d12c0e (30 x GuLoader, 4 x RemcosRAT, 1 x AgentTesla)
ssdeep 12288:AS2dfQBQfYBzJtHdw8bTKrw/Ox4ZUoH/3VI+4:z2dfWXBzJZDWKZZ3S+4
TLSH T1F8D4F103B78C898FD9621BB051B3A64B57F0BDF515B502167E28786F9D3B3811A3AF18
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6ad3dbc9e394c478 (3 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Bjrnebrrenes
Issuer:Bjrnebrrenes
Algorithm:sha256WithRSAEncryption
Valid from:2023-06-15T01:29:04Z
Valid to:2026-06-14T01:29:04Z
Serial number: 5631e9a3f8aea8f8435ca2bc643f5f508d8445a0
Thumbprint Algorithm:SHA256
Thumbprint: 6780ab04856296b882907861b5d2d46d4863284605f77a5edeccc64bf55b2870
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462291/
Detection(s):
SecuriteInfo.com.FileRepMalware.26734.9467.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Searching for the window
Searching for the Windows task manager window
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/656d9822fb43e835e6bd8095/reports/391625b1-d74e-4e6d-b195-6b2d239a4221/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2a6653ae72f38620dcd1d53caa82bd341b82be633ca1be99ecf372480d972f0a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97c7aa99-827b-448a-9b3a-0472a57f7fdb
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353000
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1353000 Sample: RFQ_10769.exe Startdate: 04/12/2023 Architecture: WINDOWS Score: 100 33 etasimali.com 2->33 35 mail.etasimali.com 2->35 37 2 other IPs or domains 2->37 49 Snort IDS alert for network traffic 2->49 51 Antivirus detection for URL or domain 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 6 other signatures 2->55 9 RFQ_10769.exe 39 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\...\Ddsliste.Cha, data 9->25 dropped 27 C:\Users\user\AppData\...\Stdbrnde67.Pon, ASCII 9->27 dropped 29 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->29 dropped 31 2 other files (none is malicious) 9->31 dropped 65 Suspicious powershell command line found 9->65 13 powershell.exe 12 9->13         started        signatures6 process7 signatures8 67 Suspicious powershell command line found 13->67 69 Very long command line found 13->69 71 Found suspicious powershell code related to unpacking or dynamic code loading 13->71 16 powershell.exe 14 13->16         started        19 conhost.exe 13->19         started        process9 signatures10 45 Writes to foreign memory regions 16->45 47 Maps a DLL or memory area into another process 16->47 21 MSBuild.exe 15 8 16->21         started        process11 dnsIp12 39 etasimali.com 146.88.237.40, 49738, 49739, 587 PLANETHOSTER-8CA France 21->39 41 185.255.114.18, 49736, 80 DEDIPATH-LLCUS Germany 21->41 43 api4.ipify.org 64.185.227.156, 443, 49737 WEBNXUS United States 21->43 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->57 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->59 61 Tries to steal Mail credentials (via file / registry access) 21->61 63 2 other signatures 21->63 signatures13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2a6653ae72f38620dcd1d53caa82bd341b82be633ca1be99ecf372480d972f0a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a6653ae72f38620dcd1d53caa82bd341b82be633ca1be99ecf372480d972f0a/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-04 06:12:36 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fjtfhlts6odcbxgr2u6kvav5gqnyfptdhsq35gpm6nzeqdmxf4fa._file
Verdict:
unknown
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/231204-k6q8saab72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
e18005b81ab18ca5afcab9b6a47d0f024535b66d1f02dc2c5e2c7f28faa21516
MD5 hash:
d3d76d8a516ceb45b8d354544c7fdec4
SHA1 hash:
0a39185c2292d3124f5139717ca9d00cd5a046b3
Link:
https://www.unpac.me/results/1ee4f3f7-3ab0-4f79-bc46-80715a960722/
SH256 hash:
14ebfa0711b48ec748b6e4985db4b99a827996ae44b28122d16f14d0d0f51bb6
MD5 hash:
84bcbefa5fe3d82647a15f135f22fb2a
SHA1 hash:
7c23a0c1a8b185f5af456dafa63a3c1207d8c1dc
Link:
https://www.unpac.me/results/1ee4f3f7-3ab0-4f79-bc46-80715a960722/
SH256 hash:
99c7654e291227686ffd9414bf77dc6c62d2b712f10348fd8a0697cd4940ef75
MD5 hash:
78e5813c5712f365d29f17e4f2aba6bb
SHA1 hash:
77fdf437a119d6cb6bd9b47b6073932aa419c928
Link:
https://www.unpac.me/results/1ee4f3f7-3ab0-4f79-bc46-80715a960722/
SH256 hash:
cd962e37d655e66c81ba14a184b5959b85b80d0929725119ccd226f5ffb622a2
MD5 hash:
d7e3e8edfd38663f63e5440460ec4c0f
SHA1 hash:
1f347bf304982256102fcaaea32a52fccdc59caf
Link:
https://www.unpac.me/results/1ee4f3f7-3ab0-4f79-bc46-80715a960722/
SH256 hash:
2a6653ae72f38620dcd1d53caa82bd341b82be633ca1be99ecf372480d972f0a
MD5 hash:
33f1ac98f66d9401e29e95fad2aeb4d3
SHA1 hash:
b4262fbbdb496538b9fb6a1d7576f368406916d5
Link:
https://www.unpac.me/results/1ee4f3f7-3ab0-4f79-bc46-80715a960722/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2a6653ae72f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a6653ae72f38620dcd1d53caa82bd341b82be633ca1be99ecf372480d972f0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 2a6653ae72f38620dcd1d53caa82bd341b82be633ca1be99ecf372480d972f0a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/462291/

Comments