MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45fd23b26e7f3d4a79e28bc74ea5119a893de6cd4df0996184d960a2fe4c480c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45fd23b26e7f3d4a79e28bc74ea5119a893de6cd4df0996184d960a2fe4c480c
SHA3-384 hash: 1589546984cd7b1840bca82f89a2b4ae3c98ae62927db9f4df38b96c4208270c502edbfc8d25c3f7ffb871055f4fb116
SHA1 hash: eaf60052cc5f7b73cecfa01dd1270b22aa9bd6c1
MD5 hash: a116a2037582a261b91f92f33407a934
humanhash: freddie-quiet-ten-jersey
File name:Wuerth_factura_4051226052.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:206'232 bytes
First seen:2023-10-24 12:49:38 UTC
Last seen:2023-10-25 08:50:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash aba7b26171cc51de6d40ff60cc44a7f5 (6 x GuLoader, 3 x AgentTesla)
ssdeep 6144:6dnrsfHjPlEqmlNQt/aaaUm/gSLKxbB2k4:7biqmlNQtVUzLKxr4
Threatray 802 similar samples on MalwareBazaar
TLSH T17D14025B1A82C4E2DE530970587A6F1B1E3B7306D0D49E5BEB28BA4739233511F2F5E2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter malwarelabnet
Tags:AgentTesla exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-20T09:43:53Z
Valid to:2026-02-19T09:43:53Z
Serial number: 797ca2747918101c5b65c920b9606bbb5f296b54
Thumbprint Algorithm:SHA256
Thumbprint: 4b223d22ec8cd4be6f78bdc928915657243c28240b2ccc495d57015b1c98e76d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
335
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Wuerth_factura_4051226052.exe
Verdict:
Malicious activity
Analysis date:
2023-10-24 16:11:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/016742c3-d356-4881-9482-57e7cdadd439

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455979/
Detection(s):
Win.Trojan.Guloader-10008146-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6537bd7be3768e7905c97171/reports/67d499cc-6fe5-49a5-a70f-1b9c7c2e726a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/45fd23b26e7f3d4a79e28bc74ea5119a893de6cd4df0996184d960a2fe4c480c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3028e9da-1c5e-4316-9ad5-e478ad793d1a
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1331257
Signature
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/45fd23b26e7f3d4a79e28bc74ea5119a893de6cd4df0996184d960a2fe4c480c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45fd23b26e7f3d4a79e28bc74ea5119a893de6cd4df0996184d960a2fe4c480c/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-10-23 05:09:41 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ix6shmtop46uu6pcrpdu5jirtket3zwnjxyjsyme3fqkf7smjaga._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
1ecf4a80641db7366f049cd1a60eb75d36eb68578d5e71e4e72d2474aa9be7bc
GuLoader
6c3503a56bb86000bf6e5719ef8ea6cf7e61bee2206139b6917a35caaa2bd1f9
GuLoader
afebc44291db59603826cac90112a97e371aa65fdd92c6da15363253e2dac27d
GuLoader
b916d475339eb0e64ad8e4e8bf897adb317c8add907ca4f72c1b7fda76cd8550
GuLoader
ff7cea1471a8650fec0cf17b7006d68320702939027341f922389672bfe88115
GuLoader
ffb16c9e23092b4194b076ed1a8fb847e65051329b025c99ff06088dd760e5a8
GuLoader
+ 792 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231024-p2xxzsda41/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
AgentTesla
Unpacked files
SH256 hash:
e32b35cde7c6e2c967445de92884684db7fda506ea52b9aaa74c1a33dd2fdfe6
MD5 hash:
55f18cafe28167995629fdeae4f07bdf
SHA1 hash:
a6bd9310f4408c86149993d1e8833d35dd16bb23
Link:
https://www.unpac.me/results/78e2dbc6-24c3-446e-97a6-6fbfc6f266d1/
SH256 hash:
45fd23b26e7f3d4a79e28bc74ea5119a893de6cd4df0996184d960a2fe4c480c
MD5 hash:
a116a2037582a261b91f92f33407a934
SHA1 hash:
eaf60052cc5f7b73cecfa01dd1270b22aa9bd6c1
Link:
https://www.unpac.me/results/78e2dbc6-24c3-446e-97a6-6fbfc6f266d1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/45fd23b26e7f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/455979/

Comments