MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42bb4ea726a68142140dbe3953e6027f5176aeb359d06ca71652bfd61a3a4898. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	42bb4ea726a68142140dbe3953e6027f5176aeb359d06ca71652bfd61a3a4898
SHA3-384 hash:	41d78fac3893c43bc3fbd644c03ec529ad5ea3e828ddf78747931da5b4b9a06c386c0c889d71b285912a13eb6fc7b8eb
SHA1 hash:	9d4ba161bf60e243951b436feb14c2c0d3284a73
MD5 hash:	53981e94bf9b125871ff3d555fcb6e18
humanhash:	georgia-green-leopard-texas
File name:	OFFER REQUEST.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	377'884 bytes
First seen:	2023-11-26 18:20:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7eae418c7423834ffc3d79b4300bd6fb (51 x GuLoader, 16 x RemcosRAT, 15 x AgentTesla)
ssdeep	6144:bNDlOltlhJka8EOHDn7m8aviLBdRIdpoqgYT83+KAmfL3:but7JkzEOjn7mHviPlA8OxU3
TLSH	T1568412816344D09EE56A16325F3BAEE617A93C3D19547A8BB6B4F32D383F252C70E305
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e4e0d27230b95858 (4 x AgentTesla, 2 x GuLoader)
Reporter	abuse_ch
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/460403/

Detection(s):

SecuriteInfo.com.Trojan.Agent.EKCH.14211.11984.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file

Creating a file in the %temp% subdirectories

Delayed reading of the file

Searching for the window

Searching for the Windows task manager window

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/65638c967485e5b1ecbbd98b/reports/14f16ceb-6a2c-4a1b-a25d-94faadabe3f2/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/42bb4ea726a68142140dbe3953e6027f5176aeb359d06ca71652bfd61a3a4898

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/1bc42995-531a-4d48-90e9-9c9337a5ec1d

Result

Threat name:

GuLoader, AgentTesla

Detection:

malicious

Classification:

troj.evad.spre.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1348090

Signature

Antivirus / Scanner detection for submitted sample

Found malware configuration

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: MSBuild connects to smtp port

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/42bb4ea726a68142140dbe3953e6027f5176aeb359d06ca71652bfd61a3a4898

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42bb4ea726a68142140dbe3953e6027f5176aeb359d06ca71652bfd61a3a4898/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2023-11-23 09:15:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 23 (65.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ik5u5jzgu2auefanxy4vhzqcp5ixnlvtlhigzjywkk75mgr2jcma._file

Verdict:

malicious

Label(s):

agenttesla_v4

Result

Malware family:

guloader

Score:

10/10

Tags:

family:agenttesla family:guloader downloader keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231126-wzbqasah45/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

AgentTesla

Guloader,Cloudeye

Unpacked files

SH256 hash:

1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

MD5 hash:

f27689c513e7d12c7c974d5f8ef710d6

SHA1 hash:

e305f2a2898d765a64c82c449dfb528665b4a892

Link:

https://www.unpac.me/results/b9724154-add3-4234-9ac3-ad49f050a4ee/

SH256 hash:

6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

MD5 hash:

8cf2ac271d7679b1d68eefc1ae0c5618

SHA1 hash:

7cc1caaa747ee16dc894a600a4256f64fa65a9b8

Link:

https://www.unpac.me/results/b9724154-add3-4234-9ac3-ad49f050a4ee/

SH256 hash:

bc4f95b716d26bbf9a6434569a6d777755ba233666a9ce57cb393ca25b82212f

MD5 hash:

d4be14b49e319ba76c559e6c2c284a04

SHA1 hash:

ef39e0be34505530da6710d450c0d97922ef0e1d

Link:

https://www.unpac.me/results/b9724154-add3-4234-9ac3-ad49f050a4ee/

SH256 hash:

f344713a08459675b6db6fc79e93f7813d8793af6fd9a2c8c64aa1a0a0e0d218

MD5 hash:

d53c32cedd3d4c37d0a35183ec531ed9

SHA1 hash:

1184372024a780df8234ac67c4a5db4d303adbc5

Link:

https://www.unpac.me/results/b9724154-add3-4234-9ac3-ad49f050a4ee/

SH256 hash:

42bb4ea726a68142140dbe3953e6027f5176aeb359d06ca71652bfd61a3a4898

MD5 hash:

53981e94bf9b125871ff3d555fcb6e18

SHA1 hash:

9d4ba161bf60e243951b436feb14c2c0d3284a73

Link:

https://www.unpac.me/results/b9724154-add3-4234-9ac3-ad49f050a4ee/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.84

Link:

https://yomi.yoroi.company/submissions/42bb4ea726a68142140dbe3953e6027f5176aeb359d06ca71652bfd61a3a4898

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

exe 42bb4ea726a68142140dbe3953e6027f5176aeb359d06ca71652bfd61a3a4898

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/460403/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample