MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fa114c3b8700d797d3ae19984264b795b11b130ffa4ad94fbc3793feeb3013e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fa114c3b8700d797d3ae19984264b795b11b130ffa4ad94fbc3793feeb3013e
SHA3-384 hash: ba2e179d4ce2ff4427af3960da16a030a02b49d390192b1d3287ad68f7e66213d1d64deb665c5c5e3082154fa1efaffb
SHA1 hash: f76c108e4049c077f10947dc9f9357d1e3c654ef
MD5 hash: ce2dc746aa83d45b1f848e77a61467b1
humanhash: william-pip-oven-burger
File name:Order_list.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:779'183 bytes
First seen:2022-10-17 18:14:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 076b06e6a65c9b7cca5a61be0cd82165 (51 x GuLoader, 4 x AgentTesla, 4 x Formbook)
ssdeep 12288:av9ICmUm69vqEMQQWZyNbhXKNT3yZrn0aHDyq9DSXALFWWpGwA51mHD7:29uUmUvhMQQWANbhXQ3yBDyq0Gza51m/
Threatray 14'880 similar samples on MalwareBazaar
TLSH T1D8F402A2354B8C82F8162573441D6570239AFE5A062D87EA3E53996EFDF13130ED3B4B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ecece8e0e0ece4ca (1 x AgentTesla, 1 x GuLoader)
Reporter malwarelabnet
Tags:AgentTesla exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
487
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321110/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the %temp% subdirectories
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43515/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/634d9ba7c99b342ba010c136/reports/9953fb69-ef24-4f62-8b93-3c1b1d620f58/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6c2c1fd3-97be-4ee6-905e-534d10e3b5a9
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1092197
Signature
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 724813 Sample: Order_list.exe Startdate: 17/10/2022 Architecture: WINDOWS Score: 100 30 googlehosted.l.googleusercontent.com 2->30 32 drive.google.com 2->32 34 2 other IPs or domains 2->34 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected GuLoader 2->46 48 4 other signatures 2->48 8 Order_list.exe 23 2->8         started        signatures3 process4 file5 24 C:\Users\user\Reunitive\...\rpctool.exe, PE32+ 8->24 dropped 26 C:\Users\user\Reunitive\...\avutil-54.dll, PE32 8->26 dropped 28 C:\Users\user\AppData\Local\...\System.dll, PE32 8->28 dropped 50 Writes to foreign memory regions 8->50 52 Tries to detect Any.run 8->52 12 CasPol.exe 15 19 8->12         started        16 CasPol.exe 8->16         started        18 CasPol.exe 8->18         started        20 CasPol.exe 8->20         started        signatures6 process7 dnsIp8 36 api.telegram.org 149.154.167.220, 443, 49835, 49837 TELEGRAMRU United Kingdom 12->36 38 googlehosted.l.googleusercontent.com 142.250.185.65, 443, 49834 GOOGLEUS United States 12->38 40 drive.google.com 216.58.212.174, 443, 49833 GOOGLEUS United States 12->40 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->54 56 Tries to steal Mail credentials (via file / registry access) 12->56 58 Tries to harvest and steal ftp login credentials 12->58 64 2 other signatures 12->64 22 conhost.exe 12->22         started        60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->60 62 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->62 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fa114c3b8700d797d3ae19984264b795b11b130ffa4ad94fbc3793feeb3013e/
Threat name:
Win32.Downloader.Minix
Create hunting rule
Status:
Malicious
First seen:
2022-10-17 15:18:00 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
13 of 26 (50.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h6qrjq5yoagxs7j24gmyijslpfnrdmjq76sk3fh3yn4t73vtae7a._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
23f6c24a5984c1bc1450f2d6eb32f3ece4e52bc275b4e9eea038db9f7f4f7717
GuLoader
5b44d377e2ac43e289acf6f2ce0c3062955c523886c79f4235317535a563ec9c
GuLoader
6619a23606037c409d8a806d59156f73cc1493462da007f59002da7c1a9892e6
GuLoader
6d4d55abaccc1b19903ceb6c96d760327bb9c87a744a8806bfb242d547c9e6e3
GuLoader
7e7e4ddcd61df737e689389da1b59df402521f3310ad402c0696b97cf6ce3a20
GuLoader
c8b9df067d8ce54ce2c376ad20bd6130dc1f3d4feac573da798e68a202b2ef6f
GuLoader
df06ee14dcd8d18eae4a818033bd9c3a2971adcf7c0fe9a2ee563a95e975286f
GuLoader
e024d90a271d4496b50aa2f15d174c5ac3dc3b635573466503d84d95de5b6f79
GuLoader
ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a
GuLoader
+ 14'870 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221017-wvwjxaceg6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5789565839:AAGv9XhsZdqTdFUOTNKJtcYQ1hes323bYNo/
Unpacked files
SH256 hash:
fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
MD5 hash:
4d3b19a81bd51f8ce44b93643a4e3a99
SHA1 hash:
35f8b00e85577b014080df98bd2c378351d9b3e9
Link:
https://www.unpac.me/results/b451c57f-4fa7-4a2d-ab1b-7af1d7fdf8cb/
SH256 hash:
37e8190ee63577d0eb329d0f00b638de1d8ea7b2ac2fdbc3f1aa8a44f8bafe2d
MD5 hash:
c779731f7dcc2bd7b2a71a796cbebdcb
SHA1 hash:
ff6b63aa4d554ba7316dae609a7fb9d31844da52
Link:
https://www.unpac.me/results/b451c57f-4fa7-4a2d-ab1b-7af1d7fdf8cb/
SH256 hash:
3fa114c3b8700d797d3ae19984264b795b11b130ffa4ad94fbc3793feeb3013e
MD5 hash:
ce2dc746aa83d45b1f848e77a61467b1
SHA1 hash:
f76c108e4049c077f10947dc9f9357d1e3c654ef
Link:
https://www.unpac.me/results/b451c57f-4fa7-4a2d-ab1b-7af1d7fdf8cb/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3fa114c3b870/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/3fa114c3b8700d797d3ae19984264b795b11b130ffa4ad94fbc3793feeb3013e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/321110/

Comments