MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d715fab1455552a0c842dc9666ccb29d2c85522c38487d86bb861416d1cdaed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	3d715fab1455552a0c842dc9666ccb29d2c85522c38487d86bb861416d1cdaed
SHA3-384 hash:	406f1935598fa62db9feb0999bea9996d5c8495f1634fffaf36389eb49ff70a5125a5c899ef019dad47ab5879b5fcba4
SHA1 hash:	aaa1fdcef4ff5f8accb7579dce6ec458f57cdb4e
MD5 hash:	9fecd530d0c11ef0066ac64d8acc1eb8
humanhash:	massachusetts-mars-lake-quebec
File name:	SecuriteInfo.com.W32.AIDetect.malware2.8414.13334
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	770'720 bytes
First seen:	2022-09-01 01:31:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e2a592076b17ef8bfb48b7e03965a3fc (385 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep	12288:ZqUyPO6sfIg5fIhUH/tkzOHHVzmz9xabYtleahPrNC4T6ouo8yi:6W6h0ffe8I9tM4uf
TLSH	T13FF4124336D4B256D5508A34E8F7E395DA76FE184D7049477314EF2E3A38383A90B36A
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f0a9b898c8e0969a (2 x GuLoader)
Reporter	SecuriteInfoCom
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Luskeriet Forgelse Indtil
Issuer:	Luskeriet Forgelse Indtil
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-01-27T11:32:01Z
Valid to:	2025-01-26T11:32:01Z
Serial number:	-17d702ad36ecf820
Thumbprint Algorithm:	SHA256
Thumbprint:	465baf06bebe1126c87e9d1100a4c68355e4254c5fcb9982c5a9c8287ecaab49
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

299

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

pago devuelto.pdf.img

Verdict:

Malicious activity

Analysis date:

2022-08-31 23:04:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9cb2af71-9f3d-46c4-a285-1170461103d0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/307042/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.8414.13334.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file

Creating a file in the %temp% subdirectories

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/36244/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63100be6ab0be91dfea3bd2d/reports/3acf5363-c5ac-48d9-a04c-b914344ccc94/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7a6ea978-e41d-4de8-863f-42849477dca3

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1062233

Signature

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3d715fab1455552a0c842dc9666ccb29d2c85522c38487d86bb861416d1cdaed/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2022-08-31 21:22:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

6 of 26 (23.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hvyv7kyukvksudeefxewm3glfhjmqvjcyocipwdlxbquc3i43lwq._file

Result

Malware family:

guloader

Score:

10/10

Tags:

family:agenttesla family:guloader downloader keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220901-bxyf3aedbn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks QEMU agent file

Loads dropped DLL

AgentTesla payload

AgentTesla

Guloader,Cloudeye

Unpacked files

SH256 hash:

2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

MD5 hash:

a4dd044bcd94e9b3370ccf095b31f896

SHA1 hash:

17c78201323ab2095bc53184aa8267c9187d5173

Link:

https://www.unpac.me/results/2a26a450-23eb-406c-b74b-71f6e1bbe3b3/

SH256 hash:

f7f18593f39918e37ff143130a7ba54004e0385ff018d98200a7751569d5e481

MD5 hash:

e07aed58d32bb9f432045fe21ea8b5fa

SHA1 hash:

087755d95ddb41ade9ddb47ddd38bc6e3cd66364

Link:

https://www.unpac.me/results/2a26a450-23eb-406c-b74b-71f6e1bbe3b3/

SH256 hash:

7bb5b66e987e4029172d097822dea6adf4baf5ae5f95a0a812c680c1b9e06fac

MD5 hash:

31597ed1eeceae0197fad0628ace5349

SHA1 hash:

c949f14532575cc02c0b22e34922d84d4e84e57d

Link:

https://www.unpac.me/results/2a26a450-23eb-406c-b74b-71f6e1bbe3b3/

SH256 hash:

3d715fab1455552a0c842dc9666ccb29d2c85522c38487d86bb861416d1cdaed

MD5 hash:

9fecd530d0c11ef0066ac64d8acc1eb8

SHA1 hash:

aaa1fdcef4ff5f8accb7579dce6ec458f57cdb4e

Link:

https://www.unpac.me/results/2a26a450-23eb-406c-b74b-71f6e1bbe3b3/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3d715fab1455/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/3d715fab1455552a0c842dc9666ccb29d2c85522c38487d86bb861416d1cdaed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/307042/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample