MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43efe491955b4d4d340b18b7de78784276f048d8d5b99f9fff0284d563226286. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43efe491955b4d4d340b18b7de78784276f048d8d5b99f9fff0284d563226286
SHA3-384 hash: ce58f27166fd3ca3bb971e53ceb64200809d1dd49429233a9ad2b7d1d3f3e13a38eb2f96c6da9e0c43d7de6e9f6aff8a
SHA1 hash: d96ca9c7bdd9ab702646525bc6a361d5df9463e3
MD5 hash: 35ac0e2334665543f799dfa7df63d512
humanhash: blossom-aspen-lion-arkansas
File name:PO#ATN-19055-1.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:200'904 bytes
First seen:2022-10-25 10:41:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a4a44a250c4cf4f2d9de2b3fe5d95f (70 x GuLoader, 13 x AgentTesla, 7 x AZORult)
ssdeep 3072:8DJ0rZo6StCBXJtlIOWHzn3x7WkV9s3hiTXJjE2EnVozY+sSraK/N26e2Cg9VS62:8DSoIKHznhp9ghiTVxEnVXsrG2ConyT
Threatray 204 similar samples on MalwareBazaar
TLSH T1AD14129122F844A7F81B4AB22FF69DACF575FB111810079BEB248FB53D21392DD0A61C
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter madjack_red
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2021-10-25T04:28:24Z
Valid to:2024-10-24T04:28:24Z
Serial number: -3d91e3076c87a6a7
Thumbprint Algorithm:SHA256
Thumbprint: 9b1ed39f6dc759bff62e8189c2bbe2b07758297a3247946d06801aa0901253f6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
PO#ATN-19055-1.exe
Verdict:
Malicious activity
Analysis date:
2022-10-25 10:45:48 UTC
Tags:
installer guloader
Link:
https://app.any.run/tasks/746092ac-9bca-487c-9407-6472f1103f7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323930/
Detection(s):
SecuriteInfo.com.Adware.Agent.OKV.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9bbd9034-b561-441f-9788-0874a955e1ce
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097655
Signature
Contains functionality to register a low level keyboard hook
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 730307 Sample: PO#ATN-19055-1.exe Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 37 palumalimited.com 2->37 39 mail.palumalimited.com 2->39 41 2 other IPs or domains 2->41 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 5 other signatures 2->57 8 PO#ATN-19055-1.exe 2 30 2->8         started        12 DnDcR.exe 2 2->12         started        14 DnDcR.exe 1 2->14         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 8->29 dropped 59 Writes to foreign memory regions 8->59 61 Tries to detect Any.run 8->61 16 CasPol.exe 18 15 8->16         started        21 conhost.exe 12->21         started        23 conhost.exe 14->23         started        signatures6 process7 dnsIp8 31 palumalimited.com 174.136.29.110, 49825, 587 IHNETUS United States 16->31 33 192.227.183.138, 49822, 80 AS-COLOCROSSINGUS United States 16->33 35 api.ipify.org.herokudns.com 3.232.242.170, 443, 49824 AMAZON-AESUS United States 16->35 27 C:\Users\user\AppData\Roaming\...\DnDcR.exe, PE32 16->27 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->43 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->45 47 Tries to steal Mail credentials (via file / registry access) 16->47 49 8 other signatures 16->49 25 conhost.exe 16->25         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43efe491955b4d4d340b18b7de78784276f048d8d5b99f9fff0284d563226286/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-25 01:37:42 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ipx6jemvlngu2naldc3546dyij3pasgy2w4z7h77akcnkyzcmkda._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00
GuLoader
32734437ca16d5bf5babbbe8dfe93dfdc953418dcd53cde0b7fe55b6c69fc3b4
GuLoader
37c86f121c6f2444ba270e021f0fe141de6dac7cba6267e9a873f72eabb6bbff
GuLoader
65e331380851f9aced88e0aa9e78e70d04131fa073c5278f6e7fbeb0dff82267
GuLoader
6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
GuLoader
79f0258fb0f3f2379e0a0320a754686cbc9e4627240f03663276b6b724952fb9
GuLoader
7db5e626c33513029a8c994e929219469a2d4f36bbd9557299d4b8bec1673fc1
GuLoader
913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
GuLoader
a1853750e48152050b5f04f08ba261a37c49fd039435ac4c2683328febd4fa92
GuLoader
ba99bed9890c619411129e8902aaaf4f65a68c77735a577f8a85428e4f4167e5
GuLoader
+ 194 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221025-mrpgracchq/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0f14b454-bbb8-4cf5-bb30-19118e9717ea
Unpacked files
SH256 hash:
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
MD5 hash:
960a5c48e25cf2bca332e74e11d825c9
SHA1 hash:
da35c6816ace5daf4c6c1d57b93b09a82ecdc876
Link:
https://www.unpac.me/results/2605ec6f-13a2-43f7-b4f4-7b5b48941880/
SH256 hash:
43efe491955b4d4d340b18b7de78784276f048d8d5b99f9fff0284d563226286
MD5 hash:
35ac0e2334665543f799dfa7df63d512
SHA1 hash:
d96ca9c7bdd9ab702646525bc6a361d5df9463e3
Link:
https://www.unpac.me/results/2605ec6f-13a2-43f7-b4f4-7b5b48941880/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/43efe491955b4d4d340b18b7de78784276f048d8d5b99f9fff0284d563226286

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323930/

Comments