MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34db50498fc68bd69ee687abc8634fa85228b02f8683267e70ef54e625316060. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	34db50498fc68bd69ee687abc8634fa85228b02f8683267e70ef54e625316060
SHA3-384 hash:	c28ed4250f8808513ffefd889f9ee879121926bb1eab01c58b2bc86443d62085d561c9149a0b7ececb8a5ca7d07b973b
SHA1 hash:	15b128b4d21295eb9cbb519a3d4154934cb419a0
MD5 hash:	0b22c43af8ee5ffcadf23001259b63b9
humanhash:	twelve-blue-red-echo
File name:	34db50498fc68bd69ee687abc8634fa85228b02f8683267e70ef54e625316060
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	786'517 bytes
First seen:	2023-06-09 11:41:55 UTC
Last seen:	2023-06-09 12:54:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1f23f452093b5c1ff091a2f9fb4fa3e9 (285 x GuLoader, 40 x RemcosRAT, 28 x VIPKeylogger)
ssdeep	12288:9PKcWfPW1nUOMaxK6+G4ezecBquR3AhzdmgO1td:FWonUZa46+GpK6VwfOp
Threatray	1'190 similar samples on MalwareBazaar
TLSH	T195F459341F98C813E35194B871E1CAD8EE75FD0C326ACD52EEE7786A66786C168F9103
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	71f0d4ccccf0e971 (4 x GuLoader, 1 x AgentTesla)
Reporter	adrian__luca
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

34db50498fc68bd69ee687abc8634fa85228b02f8683267e70ef54e625316060

Verdict:

No threats detected

Analysis date:

2023-06-09 11:40:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e2d56706-6a79-4950-85cd-352a27c42c07

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/397378/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67227091.3076.8333.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Searching for the window

Delayed reading of the file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/90131/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6483100a39ba775c46e0bd04/reports/1417d06e-1a13-4be5-a775-62056b59e375/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/34db50498fc68bd69ee687abc8634fa85228b02f8683267e70ef54e625316060

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/9b648ad3-da53-4a66-962a-fc855067e08a

Result

Threat name:

GuLoader, AgentTesla

Detection:

malicious

Classification:

troj.evad.spyw

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1251907

Signature

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/34db50498fc68bd69ee687abc8634fa85228b02f8683267e70ef54e625316060/

Threat name:

Win32.Trojan.InjectorX

Status:

Malicious

First seen:

2023-05-25 13:06:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 37 (29.73%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gtnvasmpy2f5nhxgq6v4qy2pvbjcrmbpq2bsm7tq55komjjrmbqa._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

151fb5746b08b95408b92e08f4bbeac8c4a1a3fc3ad6f43d237357f10476b33f

GuLoader

68ecb3a0784bbfd4ac9f3d1c76cfc09cff02b4298839e2e1b293e9ef8833b265

GuLoader

79e1fc85396ae65e8431f8ceb92fefb5ec396381840d830c415ea2d81cb78a49

GuLoader

959fc8883e6b1d4ab77f9738792435e2dae1969530f36d2672db6cb397778687

GuLoader

96c459f3f71ca66620515448f8dfa12c67d8b3e020776c93ccda641cce782ad6

GuLoader

9c3860c6744d8b2718e1109e327795014997a81b0e21706a96242d0f8d52f55b

GuLoader

a1662b8e9f60ae12d014dc7bf567d136abef56c45d76b65c765c71d411c7ee8f

GuLoader

d0294bc11b1c8e0655189aba2ade4ffb54da6f36e2afc2ef2e0045a5a17203bf

GuLoader

ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a

GuLoader

+ 1'180 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230609-ntz7psca64/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Checks QEMU agent file

Loads dropped DLL

AgentTesla

Unpacked files

SH256 hash:

f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

MD5 hash:

8b3830b9dbf87f84ddd3b26645fed3a0

SHA1 hash:

223bef1f19e644a610a0877d01eadc9e28299509

Link:

https://www.unpac.me/results/8abb92bf-c5a8-4aab-bc71-735729d7968e/

SH256 hash:

34db50498fc68bd69ee687abc8634fa85228b02f8683267e70ef54e625316060

MD5 hash:

0b22c43af8ee5ffcadf23001259b63b9

SHA1 hash:

15b128b4d21295eb9cbb519a3d4154934cb419a0

Link:

https://www.unpac.me/results/8abb92bf-c5a8-4aab-bc71-735729d7968e/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/34db50498fc6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/34db50498fc68bd69ee687abc8634fa85228b02f8683267e70ef54e625316060

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/397378/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample