MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 398a3ecbe96e1b4d131f6d367e36aac8e42a89c0f3ddf075fb28f5c6f3921cea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 398a3ecbe96e1b4d131f6d367e36aac8e42a89c0f3ddf075fb28f5c6f3921cea
SHA3-384 hash: 25fea5284329bc9f6fd277aca16775e667bd337dbb91bce4036da98d4e6463be418e713acfb05a6a2912cc998bd9e96d
SHA1 hash: 33d56b2f918129b17f15a186994bd9092a50ea9f
MD5 hash: 382b984e3a091199d778f56ed7faf0d4
humanhash: nebraska-louisiana-connecticut-lemon
File name:FATURA_013_1731pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:321'160 bytes
First seen:2022-09-23 06:19:58 UTC
Last seen:2022-09-28 07:33:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ed0d71376e55d58ab36dc7d3ffda898 (133 x GuLoader, 28 x RemcosRAT, 23 x AgentTesla)
ssdeep 3072:nFYTUnLKvaVwYzI5PesvjhheNiB+ff0jMWDxLzW8a0TGZidy0OVrmC27PJutTZn:F1kal0PZVheNA+ff039W1xLhVrmPjJOd
Threatray 1'906 similar samples on MalwareBazaar
TLSH T1F764289279C975AFDC2F8A38035FEAB22A795CE07382486E4F40761D4C3564A80EDDD7
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c88604b919c6c6c0 (77 x GuLoader, 10 x Formbook, 8 x AgentTesla)
Reporter JAMESWT_WT
Tags:exe Flngens Mistillidsvota Soudan GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-09-22T07:21:59Z
Valid to:2025-09-21T07:21:59Z
Serial number: -1c258aae32d0b8b7
Thumbprint Algorithm:SHA256
Thumbprint: c30f575d320ef66d8b1f4097eb4506b47a9b5fcd572e787d25987a1e317afd83
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
410
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ForwardedMessage.eml
Verdict:
Malicious activity
Analysis date:
2022-09-22 15:16:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/46eb8d75-7600-4c24-b4ed-458d534e9da1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312526/
Detection(s):
SecuriteInfo.com.TR.Click.Clikug.AA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Delayed reading of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/632d50aa39767769653edec0/reports/8513a960-1212-4321-ac42-85a4d1cdf151/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/683a7e9c-eb4a-43b4-b838-6334f14f9f6f
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075720
Signature
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 708262 Sample: FATURA_013_1731pdf.exe Startdate: 23/09/2022 Architecture: WINDOWS Score: 100 28 googlehosted.l.googleusercontent.com 2->28 30 drive.google.com 2->30 32 2 other IPs or domains 2->32 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected GuLoader 2->44 46 4 other signatures 2->46 8 FATURA_013_1731pdf.exe 3 99 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\...\Allosematic.Vol, DOS 8->24 dropped 26 C:\Users\user\AppData\Local\...\System.dll, PE32 8->26 dropped 48 Writes to foreign memory regions 8->48 50 Tries to detect Any.run 8->50 12 CasPol.exe 15 11 8->12         started        16 CasPol.exe 8->16         started        18 CasPol.exe 8->18         started        20 2 other processes 8->20 signatures6 process7 dnsIp8 34 api.telegram.org 149.154.167.220, 443, 49789 TELEGRAMRU United Kingdom 12->34 36 googlehosted.l.googleusercontent.com 172.217.16.129, 443, 49788 GOOGLEUS United States 12->36 38 drive.google.com 172.217.16.206, 443, 49787 GOOGLEUS United States 12->38 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->52 54 Tries to steal Mail credentials (via file / registry access) 12->54 56 Tries to harvest and steal ftp login credentials 12->56 62 2 other signatures 12->62 22 conhost.exe 12->22         started        58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->60 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/398a3ecbe96e1b4d131f6d367e36aac8e42a89c0f3ddf075fb28f5c6f3921cea/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 11:01:51 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
20 of 40 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hgfd5s7jnynu2ey7nu3h4nvkzdscvcoa6po7a5p3fd24n44sdtva._file
Verdict:
unknown
Similar samples:
32734437ca16d5bf5babbbe8dfe93dfdc953418dcd53cde0b7fe55b6c69fc3b4
GuLoader
6d4d55abaccc1b19903ceb6c96d760327bb9c87a744a8806bfb242d547c9e6e3
GuLoader
7d6091a8bcec7aca2c056c17969b59006a7672605ddb2f58adbc3d7aa8f38738
GuLoader
ba99bed9890c619411129e8902aaaf4f65a68c77735a577f8a85428e4f4167e5
GuLoader
cee7147196a22b811bb317672f544d43d52140d6da8d2843550f8bdd05c08215
GuLoader
dd39027f02b3a47cb2677440f59575089a0673f134cff175d908be574ebc80ac
GuLoader
ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a
GuLoader
+ 1'896 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/220923-g3sqnadda5/
Behaviour
Enumerates physical storage devices
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/65e62678-3e48-4118-9ae2-d18f0c85c049
Unpacked files
SH256 hash:
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
MD5 hash:
7399323923e3946fe9140132ac388132
SHA1 hash:
728257d06c452449b1241769b459f091aabcffc5
Link:
https://www.unpac.me/results/e63cd482-a740-489a-85c3-0e0f8169b761/
SH256 hash:
398a3ecbe96e1b4d131f6d367e36aac8e42a89c0f3ddf075fb28f5c6f3921cea
MD5 hash:
382b984e3a091199d778f56ed7faf0d4
SHA1 hash:
33d56b2f918129b17f15a186994bd9092a50ea9f
Link:
https://www.unpac.me/results/e63cd482-a740-489a-85c3-0e0f8169b761/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/398a3ecbe96e1b4d131f6d367e36aac8e42a89c0f3ddf075fb28f5c6f3921cea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/312526/

Comments