MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b370d79df7c09342bb6fb8ad073474533310274a011593e4f40d6e7297b43fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b370d79df7c09342bb6fb8ad073474533310274a011593e4f40d6e7297b43fe
SHA3-384 hash: aa683e7f8ae6c2aae1977721e83bc24f997766267909d4d1b89352b4c35f5c8e51b567a43920de22f7d2e9598fc29324
SHA1 hash: 4c73e879cc0f50fa0e07b60349e0ac3bfa53d2c1
MD5 hash: 11d897c228ac0e871e95d7ef0985504d
humanhash: winner-fourteen-ohio-speaker
File name:SecuriteInfo.com.W32.Injector.XBOP-6641.27720.28084
Download: download sample
Signature GuLoader
Create hunting rule
File size:526'504 bytes
First seen:2023-12-05 15:22:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (725 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:Mbip2zW1/ykRVcJ5/N2r8lM9E9gE4UqlT8ICRhv1PNA9uLqSHhA4BL:MbiIzW1/zVGsX6SpZGv11A9hiBL
Threatray 4'283 similar samples on MalwareBazaar
TLSH T1DCB4014D7BA4C89BEF710F3168A6C76B5BBCAC581F130A07276A7ACD3B307A09914345
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 92f1ac86deccf032 (2 x GuLoader)
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:rundhaandede
Issuer:rundhaandede
Algorithm:sha256WithRSAEncryption
Valid from:2023-07-03T23:26:31Z
Valid to:2026-07-02T23:26:31Z
Serial number: 11108bafd2d386c5ee407355cc25f473ae756973
Thumbprint Algorithm:SHA256
Thumbprint: 09145e489cd9fb0c6f4b8b438d9add88aa5c3b9bb0f8ddc132d4b85cd76d7220
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462656/
Detection(s):
SecuriteInfo.com.W32.Injector.XBOP-6641.27720.28084.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/656f405bda3178d99cd8970e/reports/9baa82b2-bd05-4336-be91-26aa5871379e/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/2b370d79df7c09342bb6fb8ad073474533310274a011593e4f40d6e7297b43fe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c298295e-bdeb-4990-b014-9d43e925c9b8
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1354029
Signature
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2b370d79df7c09342bb6fb8ad073474533310274a011593e4f40d6e7297b43fe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b370d79df7c09342bb6fb8ad073474533310274a011593e4f40d6e7297b43fe/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-05 12:44:53 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fm3q26o7pqetik5w7ofna42hiuztcatuuaivspspidlookl3ip7a._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458
GuLoader
29032ae14e315863a55a0851c3e1c9cb246beb4513a279d8b1bf7fac97be6ff7
GuLoader
2bab4b4ef0cd5ce5f2dff0ddcbdfb7295c0d141fb4c88ec305268b24a3e23a5c
GuLoader
3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb
GuLoader
79866667d5cd578a1c6eda54a748ff9d316fff39064eecd282bc2a9ad8a5ac7d
GuLoader
8eaffa403a0bacae0e43928c07f77ea8540b480eda49e10d4a44079b8e0236fe
GuLoader
9ada0ca121fe2b402b0da1728cd9f1fbb36d61a62fd40bbe8428756c329e04e8
GuLoader
da9c5f609ebbcf19aef3d6992d451ccbe4fa77858660f6861146d1a486e1d98e
GuLoader
ebb0272ecef9d8bf07a71b9ead8718760d27c4fdc334fe2de7a8b93237e61044
GuLoader
f747c8459e01b65714e550719afb55cbe6ccb459ddadaf611b35f3454086c8ea
GuLoader
+ 4'273 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231205-ssfh5acc57/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
AgentTesla
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/ae0e3aad-1949-40a0-8e1f-495b838436e6/
SH256 hash:
2b370d79df7c09342bb6fb8ad073474533310274a011593e4f40d6e7297b43fe
MD5 hash:
11d897c228ac0e871e95d7ef0985504d
SHA1 hash:
4c73e879cc0f50fa0e07b60349e0ac3bfa53d2c1
Link:
https://www.unpac.me/results/ae0e3aad-1949-40a0-8e1f-495b838436e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b370d79df7c09342bb6fb8ad073474533310274a011593e4f40d6e7297b43fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/462656/

Comments