MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c49ef8a8afc483a1e5a58dc76cb46edfa4316561bf2265b323c9f6f572fd447. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	3c49ef8a8afc483a1e5a58dc76cb46edfa4316561bf2265b323c9f6f572fd447
SHA3-384 hash:	dab03dc57bc7ebdbc618186dfddaa1f7a124915c230c048b5421092627a517200fc1a1d7513fbafa4e1f423e14631e43
SHA1 hash:	f31651f85365c8fcccb004cbfbd89b5c84453842
MD5 hash:	bde54f831a79aae0a9e39c446e5afe5d
humanhash:	berlin-summer-july-beryllium
File name:	3c49ef8a8afc483a1e5a58dc76cb46edfa4316561bf2265b323c9f6f572fd447
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	333'128 bytes
First seen:	2023-04-04 13:19:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep	6144:6T4DtKpxovz+RYY+uRR04v9rlg3hXrRdqNPC9ESbucKYgqjTGM:6TDpxA+RAuo4v9rlg3cAtuZC
Threatray	1'472 similar samples on MalwareBazaar
TLSH	T1F664F1A3A3E0EE17E07D4F36353482B6D7EE5A58342199D74360254DDF723839E6B20A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8cc03489b3dada23 (2 x GuLoader)
Reporter	adrian__luca
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-08-15T07:57:18Z
Valid to:	2025-08-14T07:57:18Z
Serial number:	6b1d9fee249e8a45ad9870898b56688874deb872
Thumbprint Algorithm:	SHA256
Thumbprint:	43b7e96149dc8fd7ca5bfe6fa6d18aa00cd2baf9a2bc4e3ebc007532d970a6ae
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

255

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3c49ef8a8afc483a1e5a58dc76cb46edfa4316561bf2265b323c9f6f572fd447

Verdict:

Malicious activity

Analysis date:

2023-04-04 13:18:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/04622d55-c248-46eb-8ae9-53708eedb8dd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/380036/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.66155052.10192.1360.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file

Searching for the window

Creating a file in the %temp% subdirectories

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/76512/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

guloader icedid overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/642c2404497fb6f23efd548e/reports/0b680a78-725c-4d28-98e6-e62905397005/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3c49ef8a8afc483a1e5a58dc76cb46edfa4316561bf2265b323c9f6f572fd447

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/6acff00d-e5d7-4456-83ef-da99c089ac6d

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1208146

Signature

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3c49ef8a8afc483a1e5a58dc76cb46edfa4316561bf2265b323c9f6f572fd447/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2023-03-29 10:05:26 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hre67cuk7reduhs2ldohns2g5x5egfswdpzcmwzshspw6vzp2rdq._file

Verdict:

malicious

GuLoader

4709918939b87a9c054e217770dc158f33c7446815b548d5dabd4a6b138b61b8

GuLoader

486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5

GuLoader

799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21

GuLoader

cf890935581d55d30342de2c71190393c3c03b99258ba7a1e3e3139099ee0b97

GuLoader

cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1

GuLoader

cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3

GuLoader

f7f5898bbed2b677a52a031071110b8aebb4b3eba2669703f6dd60e6953dc2a2

GuLoader

+ 1'462 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:agenttesla family:guloader discovery downloader keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230404-qk384sfb69/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks installed software on the system

Looks up external IP address via web service

Checks QEMU agent file

Loads dropped DLL

AgentTesla

Guloader,Cloudeye

Unpacked files

SH256 hash:

7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

MD5 hash:

564bb0373067e1785cba7e4c24aab4bf

SHA1 hash:

7c9416a01d821b10b2eef97b80899d24014d6fc1

Link:

https://www.unpac.me/results/f2de60e1-19d2-4fdd-8086-4de334f5eabd/

SH256 hash:

3c49ef8a8afc483a1e5a58dc76cb46edfa4316561bf2265b323c9f6f572fd447

MD5 hash:

bde54f831a79aae0a9e39c446e5afe5d

SHA1 hash:

f31651f85365c8fcccb004cbfbd89b5c84453842

Link:

https://www.unpac.me/results/f2de60e1-19d2-4fdd-8086-4de334f5eabd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3c49ef8a8afc483a1e5a58dc76cb46edfa4316561bf2265b323c9f6f572fd447

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/380036/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample