MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a88bb2699f4992e13ed7f7ada9495e040ddfb3107ffc158063f04b9e006fca2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a88bb2699f4992e13ed7f7ada9495e040ddfb3107ffc158063f04b9e006fca2
SHA3-384 hash: b37fa0eba747f9519905c16495bd1b8710177c0d5bdb5b397364667695757efa6af0c36af30818d2e43406837673537c
SHA1 hash: caf992eab74a7886bdfd52568b401504fd736bad
MD5 hash: 5bb58b700946c8844469cd9fe1700005
humanhash: maryland-saturn-early-eighteen
File name:SecuriteInfo.com.Gen.Variant.Nemesis.10183.27936.23439
Download: download sample
Signature GuLoader
Create hunting rule
File size:414'848 bytes
First seen:2022-08-24 10:43:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 6144:BT4Dt9b/gHuGBAd6+wy9D0bW8/ceB2WQE8AJ1BP6qBAV369Xr7mBzlOfMw+BY:BTZ8F0WWn8AJ1BxmV369b+IP
Threatray 13'861 similar samples on MalwareBazaar
TLSH T16194F1223748D8A2D57D44F2E573A5AB8DB0ED266A68DC1333603F1F7B79A53E80E105
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c8c0da66e2e868b8 (1 x GuLoader)
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Eventide Novelledefinitioners
Issuer:Eventide Novelledefinitioners
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-31T09:13:20Z
Valid to:2024-12-30T09:13:20Z
Serial number: 40b1f0edd0be255e
Thumbprint Algorithm:SHA256
Thumbprint: 01eb547a45eb496bfff126a1cf7e139f48a41cdfaec244e668d76ffbaabc8b35
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Gen.Variant.Nemesis.10183.27936.23439
Verdict:
Malicious activity
Analysis date:
2022-08-24 10:44:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d96eebc0-f1b1-48e6-8265-0b81cc6694cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300826/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.10183.27936.23439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29910/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6306016ec7e5977f84e72231/reports/dde00f88-fe6a-49c8-b041-9855a638363d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1a2b0a89-124b-480f-81ec-e63ea6307210
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1056918
Signature
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a88bb2699f4992e13ed7f7ada9495e040ddfb3107ffc158063f04b9e006fca2/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-08-24 10:44:07 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jkelwjuz6sms4e7np55nvfev4ban36zra774cwagh4cltyag7sra._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
42848486deff7c04f76ad5d52d9ec293ffd07eae20d102781694db235106d459
GuLoader
493c63489f594c10e1f5aace2dd833f3fddaac2800d3603498d2b4abe4bd7e0c
GuLoader
617208cb1572a2d167753cb9a163fee04a6a5df5d75f555b14c79a1f3cb09d8e
GuLoader
6d4d55abaccc1b19903ceb6c96d760327bb9c87a744a8806bfb242d547c9e6e3
GuLoader
8f9cf775cd2f30283dac9c8441e6787000ba95706d467b5199a00b3aaa213ea5
GuLoader
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
GuLoader
ab68c3f1654e49a32d6750b88ee3f472fe69aa1691998b2bcb76936d054a215a
GuLoader
f404a5d8e7a6622e073a2a596e728cb5be383baa2df71924d116db5ed2fa68ee
GuLoader
f958e4ed4aeeb30bdff566e749d1f0974e8a2d01cd3782eae9134c85f39b4f0f
GuLoader
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
GuLoader
+ 13'851 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader collection discovery downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220824-mss7bsccdp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
AgentTesla
Guloader,Cloudeye
Malware Config
C2 Extraction:
https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument
Unpacked files
SH256 hash:
b7823a15e7b1866ba3d77248f750b66505859d264cfc39d8c8c5e812f8ae4a81
MD5 hash:
a1da6788aeaf78ca4ae1dece8019e49d
SHA1 hash:
d770155e6e9aa69223be198c44a8da26a1756d89
Link:
https://www.unpac.me/results/a80fee1e-a870-472e-a33c-a66df455f000/
SH256 hash:
4a88bb2699f4992e13ed7f7ada9495e040ddfb3107ffc158063f04b9e006fca2
MD5 hash:
5bb58b700946c8844469cd9fe1700005
SHA1 hash:
caf992eab74a7886bdfd52568b401504fd736bad
Link:
https://www.unpac.me/results/a80fee1e-a870-472e-a33c-a66df455f000/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a88bb2699f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4a88bb2699f4992e13ed7f7ada9495e040ddfb3107ffc158063f04b9e006fca2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/300826/

Comments